Private Medical Practices Lag Behind Hospitals in Data Security; More Development Dangers Loom

According to the 2010 Healthcare Information and Management Systems Society (HIMSS) Security Survey, sponsored by Intel and supported by the Medical Group Management Association, 33 percent of medical practices said they did not conduct a security risk analysis of their electronic health records, compared with only 14 percent of hospitals. Overall, 75 percent of all respondents did conduct a security risk analysis of their organizations. The survey also found 17 percent of medical practices outsourced their information security function; none of the hospitals outsourced information security. Only 40 percent of medical practices used multiple types of controls to manage data access, compared to more than half of the hospitals surveyed. Medical practices were less likely to report that an instance of medical identity theft had occurred within their organization (17 percent), compared to those working for a hospital (38 percent). Overall, 33 percent of respondents said their organization had at least one known case of medical identity theft. The survey polled 272 healthcare IT and security professionals, with one-quarter of them working for medical practices and the rest working in hospitals.

In unrelated news, An Informatica sponsored study conducted by the Ponemon Institute surveyed 437 senior IT professionals in the financial services industry whose firms have been engaged in application testing and development in order to better understand if the risk of using real data in development is being addressed. An overlooked privacy risk is the vulnerability of personal and business information used for testing and application development. During the test and development phase of new software, real data — including financial records, transactional records, and other personally identifiable information (PII) — is being used by as many as 80 percent of organizations. Further, test environments are less secure because data is exposed to a variety of unauthorized sources, including in-house testing staff, consultants, partners and offshore development personnel. The study found security decision-making may be motivated more by achieving business objectives than by addressing data security risks. Given the potential for heavy fines and penalties, customer churn, reputation damage, and overall costs associated with a data breach, financial services firms should proceed with great caution before outsourcing to third parties. This should include a vigorous evaluation of prospective partners’ security policies and procedures, and implementation of detailed contractual provisions.