The boosts are a result of federal mandates to conduct regular security assessments that help identify vulnerabilities.
By Pamela Lewis Dolan
Most health care organizations, including physician practices, have increased their privacy and security budgets during the past five years and are conducting risk assessments more frequently, according to a new survey from the Healthcare Information and Management Systems Society.
The HIMSS survey, which was conducted with the help of the MGMA-ACMPE, the professional organization for medical group practice managers, found that more than half of the organizations had increased their information technology budgets and resources because of federal initiatives. These include the meaningful use incentive program and the move to HIPAA 5010, a new standard that regulates electronic transmissions of specific health care transactions.
Even with the increase, 47% reported that their privacy and security budgets represented 3% or less of their overall information technology budget. The survey covered 335 organizations, 55% of which were physician practices.
Most respondents remained in the 1%-to-3% range, where they have been for the past four or five years, said Lisa Gallagher, senior director of privacy and security for HIMSS. But several organizations crept into the 4%-to-6% range.
Gallagher said that compared with other industries, which spend 5% to 8% of information technology budgets on security, the budgets of those in the survey are low. Any move upward is “the best we can expect,” she said.
Ron Tennant, senior policy adviser with MGMA-ACMPE, said there really is no set percentage that organizations should shoot for, because there is no one-size-fits-all formula. The most important thing, he said, is that the survey showed an increased emphasis on security.
The survey found that 77% of the organizations conduct a formal risk analysis to evaluate ways in which patient data might be put at risk. Although this number was consistent with survey results from 2008, which showed that 78% conducted a risk analysis, the frequency at which they are conducted has increased. Sixty-four percent conduct them on an annual basis, up from 54% that said they did them annually in 2008.
Not only are these security assessments required under federal regulations, including the new requirements for the Health Insurance Portability and Accountability Act that went into effect under the Health Information Technology for Economic and Clinical Health Act of 2009, but they also are necessary given the change to the health care landscape, Tennant said. Because more of medicine has gone mobile, there are more places where data are stored, and from where they potentially can be lost.
Gallagher said future surveys will parse out how outsourcing information technology needs may affect a practice’s security budget. Many small practices don’t have the resources to hire dedicated technology staff and tend to use cloud-based solutions, which means there are no in-house servers that need constant maintenance.
“If we are seeing significant outsourcing of IT functions … that may be affecting the budget in ways we don’t understand,” Gallagher said.
Tennant said practices that outsource their technology needs should develop their own policies and procedures on privacy and security. That involves someone in the practice taking on the role of security officer.
Free resources are available online that help practices conduct their own risk analysis instead of hiring someone to do it for them. Budgets must include the purchase of systems that will keep data secure, such as encryption software, malware and firewalls.