According to a new survey of IT executives, IT security spending in the healthcare industry remains low, despite federal incentives to convert patient information to electronic healthcare records (EHR), and the security provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH).
Security still accounts for 3% or less of overall IT spending in a substantial majority of healthcare organizations, virtually unchanged from last year, according to a survey conducted by the Healthcare Information and Management Systems Society (HIMSS). More than one-fifth of the 196 respondents (mostly CIOs and CSOs) of the "2009 HIMSS Security Survey" said security accounted for less than 1% of their budget.
"The IT spend in healthcare tends to be lower than in most other industries," said David Finn, health IT officer for Cupertino, Cailf.-based Symantec Corp., who sponsored the survey.
The HITECH Act has earmarked $19.2 billion of the $787 billion federal economic stimulus package in incentives to encourage EHR conversions. In addition, organizations are required to notify individuals and the Department of Health and Human Services of security breaches of patient health information -- and the media if more than 500 residents of the same state are affected.
Finn said he was surprised at the continued low level of security spending. He said the weak economy may be one factor, but another is that healthcare organizations are putting more money and IT resources into their EHR conversion rather than security.
"The pressure is to get EMR in place and electronic data exchanges running so you will be eligible for the financial incentives," he said, "knowing you will have to wrestle with the privacy and security issues at some point."
The report concluded that despite the regulatory pressures and growing security risks, healthcare organizations have made relatively little change between 2008 and 2009 in a number of important security policy, process and technology areas. Nevertheless -- and the low spending rates notwithstanding -- the survey shows evidence that many organizations are implementing good security practices. For example, almost all the respondents collect and analyze audit logs. More than 80% of these review firewall logs, and more than two-thirds monitor IDS and application logs.
In addition, more than half of the organizations conduct a formal risk analysis at least once a year. A large majority use these analyses to determine where they need to shore up security controls and monitor the success of the controls that are in place. On the negative side, while almost all said they investigate security incidents, only about half have an incident response plan in place.
The survey showed some investment in various forms of security technologies beyond firewalls and user access controls. Use of various forms of encryption ranged from mobile device encryption (35%) to data in transmission encryption (67%). Two-thirds of the healthcare organizations are using intrusion detection/prevention, and about a quarter have some form of data leak prevention in place.