I’m not exactly an innocent flower, I wasn’t born yesterday and I didn’t just fall off the turnip truck.
Still, I have to say that I was a bit surprised and disheartened by the news that popped into my inbox yesterday. It seems that despite having countless reasons to do so — including, of course, the rollout of new EMRs — hospitals haven’t cleaned up their security act much.
According to HIMSS research, less than half of hospitals are doing an annual security risk assessment, according to a new article in Information Week.
The story, which sites a new report from consulting firm CSC, notes that under both Stage 1 Meaningful Use rules and proposed Stage 2 rules, hospitals need to conduct annual risk checks and fix any problems they find.
And then, it reminds us, there’s also tougher HIPAA security requirements on the way, which are likely to require such assessments, as well as demanding new security breach notifications and extension of security requirements to business associates.
But according to HIMSS data cited in the story, only 47 percent of hospitals currently conduct such annual risk assessments, and 58 percent of HIMSS survey respondents didn’t have a single staff member dedicated to security.
Now, as writer Ken Terry appropriately notes, it’s not that that data security isn’t on hospitals’ radar. When HIMSS surveyed CIOs for its 2011 Leadership Survey, it found that 30 percent said that complying with HIPAA and CMS regs was their biggest security issue.
Still, it seems to me that hospitals are skating on thin ice. What I see in these numbers is IT leaders who are in “hope and pray” mode where data security is concerned, an irresponsible position at best.
Yes, I know, security professionals are hard to find and expensive to retain. I realize that simply maintaining and implementing health IT systems is more challenging than ever in the post-EMR environment. And of course, I realize that virtually all hospitals do have meaningful security measures in place, even if you aren’t checking in on them as often as you’d like.
That being said, I doubt your hospital is ready to pay the price of a security breach, particularly in an era where it the costs include possible CMS sanctions, fines, a public relations nightmare — plus, quite possibly, a heck of a lot of backtracking and hasty patching of systems. Compared with what an EMR breach could cost, spending even $100K a year for a security specialist is peanuts for all but the smallest players.
I sincerely hope hospital CIOs get in gear quickly on this issue. If I can hardly believe what I’m reading, the feds aren’t going to be too forgiving either.