Risk Analysis of e-Records is Spotty

Medical practices are far less likely than hospitals to conduct regular security risk assessments of their electronic health record systems, according to a new survey of health IT executives.

Three out of four survey respondents said they perform a risk assessment at their organization. The proportion of medical practice respondents not conducting risk analyses was 33 percent, compared to 14 percent of hospital respondents that don't assess risk, according to survey results released this month.

The findings of the annual security survey, conducted by the Health Information and Management Systems Society (HIMSS), suggests that many practices have a lot of work ahead of them in order to qualify for federal "meaningful use" incentive funds. Meaningful use objectives demand regular security risk analyses, security updates and correction of security deficiencies as a condition of receiving financial incentives that are intended to offset the cost of acquiring and using electronic medical records.

"Meaningful use objectives are now in place, so hospitals and medical practices have an important new requirement that must be followed to ensure the protection of patient health information and achieve meaningful use," said Lisa Gallagher, HIMSS's senior director for privacy and security, in a news release. "As the survey results indicate, one-quarter of the sample population would not qualify for meaningful use incentives based on not having a process to conduct a risk analysis."

The percentage of healthcare organizations that lack security risk analysis procedures (25 percent) is similar to the 2009 survey findings, according to HIMSS. But this year's survey, sponsored by Intel and the Medical Group Management Association, includes more respondents from medical practices. That means more hospitals have risk analysis procedures in place than last year.

Other findings include:

• About 17 percent of respondents in medical practices said they outsource security risk assessments, while none of the hospital respondents did.
• More than half of hospital respondents said they use two or more types of controls to manage access to data, compared with 40 percent of those from practices.
• Hospitals appear more susceptible to medical identity theft than practices. About 38 percent of hospital respondents reported at least one case of medical identity theft, compared with 17 percent of practice respondents.

The online survey targeted chief information officers, chief security officers and other IT executives. One-fourth of the 272 respondents said they work for a medical practice.