Processing .....please wait.. 
The article has been forwarded.... 
Healthcare firms may not be prepared for HITECH
By siliconindia
Bangalore: As the American Recovery and Reinvestment Act (ARRA) is in progress, the healthcare organizations face new challenges to maintain privacy and security of patient health data.
According to the results of the 2009 Healthcare Information and Management Systems Society (HIMSS) Security Survey, sponsored by Symantec, the data gathered from healthcare IT and security professionals indicate that many organizations may not be ready to meet some of the HITECH components of the ARRA legislation and other security challenges.
As the healthcare organizations recognize that patient data must be protected, the survey results show that security budgets of the organizations remain low. The organizations also do not have a response plan for threats or a security breach and also, a designated Chief Security Officer or Chief Information Security Officer is not in place for many.
In addition to this, the survey reveals that healthcare organizations are not using the current security technologies that are available to keep patient data safe. The respondents of the survey widely use audit logs with data from firewalls, application logs and server logs as common information sources. However, when analyzing the log data, only 25 percent of respondents reported electronic analysis of that data.
They indicate that they are using firewalls and user access controls, but are not implementing all available technologies to secure data. Only 67 percent of responding organizations use encryption to secure data in transmission, and fewer than half encrypt stored data.
"Healthcare organizations are continually looking for ways to save money. One of the best ways to accomplish these goals is through investing in technologies that will automate and reduce the risks of a security incident and lower the chances of a compliance issue. Although awareness about these issues is high, many providers have not yet made significant moves to the address these concerns," said David Finn, Health IT Officer, Symantec.
The other findings of the survey results stated that approximately 60 percent of respondents reported that their organization spends three percent or less of their organization's IT budget on information security. This figure is same to the level of spending identified in 2008 study.
The maturity of the environment was characterized at middle level, with an average score of 4.27 on a scale of one to seven.
Less than half of the respondents indicated that their organization has either a formally designated CISO (Chief Information Security Officer) or CSO (Chief Security Officer).
Regarding patient data access, the surveyed organizations most widely implement user-based and role-based controls to secure electronic patient information. Approximately half of respondents reported that their organization allows patients/surrogates to access electronic patient information.
Nearly all respondents reported that their organization actively works to determine the causes or origin of security breaches. However, only half of them plans in place for responding to threats or incidents related to a security breach.
About 85 percent of respondents reported that they monitor the success of security controls and two-thirds of these respondents measure the success of these controls.
About three-quarters of surveyed organizations conduct a formal risk analysis, which has remained the same in the last year. Three-quarters of organizations that did conduct risk assessments found patient data at risk due to inadequate security controls, policies and processes.
Nearly all the respondents reported that their organizations share patient data in electronic format with state government entities. Approximately half of these organizations, 41 percent, indicated that these sharing arrangements have resulted in the use of additional security controls beyond those that were already in place at their organization. This is also same to the data received last year.
About one-third of respondents disclosed that their organization has had at least one known case of medical identity theft.
"Healthcare organizations must approach all IT activities, including data security, with effective management and efficient use of their budgets, staff and technologies. IT and security professionals must recognize the need for securing patient data by using available technologies and preparing for compliance with current ARRA laws and future regulations. This complex operating environment, as well as our national goals for health IT, demands such action to ensure quality, safety and improved healthcare delivery," said Lisa Gallagher, HIMSS Senior Director, Privacy and Security.
