Health Information Technology Executives: Work Together on Security

A new survey shows that 96 percent of health information technology (HIT) executives think it is important to have a uniform way for verifying the security of sensitive healthcare information, and 85 percent think it is time for the industry to come together and develop a comprehensive framework that can provide that uniformity.

The survey, the first of an annual series commissioned by the Health Information Trust Alliance (HITRUST) and conducted by KRC Research, also shows that more than half of those surveyed are frustrated that there are no standardized practices for complying with HIPAA.

"The results of this survey confirm what we've known anecdotally for a long time," said Daniel Nutkis, CEO of HITRUST. "That there is a substantial need for a common security framework that is created by industry for industry and is therefore better able to quickly adapt to changes in technology and business practices as well as to constantly changing threats."

HIT leaders worry most about loss of customers' trust if their organization mishandled sensitive information. Minimizing the risk of information theft is the number one benefit that HIT executives think will result from adopting a common set of healthcare information standards and practices, and 77 percent believe a common set of standards and practices would make it easier to obtain necessary funding for information security from top management.

Although 82 percent believe that a common security framework would help their companies' efforts to secure electronic healthcare information, more than a third of HIT executives do not think there is enough cooperation yet to effectively implement a common set of information security standards, guidelines and practices.

As the volume of electronically shared healthcare information continues to skyrocket, two-thirds of HIT executives agree that a major security breach is inevitable if action is not taken in the security arena. Illustrating one potential cause of this fear: nearly half of executives are very confident in the security of their own companies, yet 74 percent have concerns that their business partners do not have sufficient information security measures in place. This criticism of external partners also supports the growing trend for organizations requiring information security audits of their trading partners.

"None of us wants to think that we're the 'weakest link' in the healthcare information supply chain," said Frank Grant, senior director, U.S. Healthcare at Cisco, which helped to fund the survey. "But, given the numerous different ways that companies store and exchange personal data, sensitive information is inevitably at a higher risk of being compromised, even if unintentionally. A standard framework will help to significantly mitigate that risk and provide healthcare executives with a guideline for more accurate self-assessment and third party accreditation."

Additionally, respondents expressed concerns if the federal government were to take a leadership role in the development of a common framework for securing sensitive healthcare information. These concerns included the government's insulation from market forces and worries about the bottom line. Other concerns included the government's late adoption of new technologies and its bad track record on securing data.

KRC Research conducted 150 telephone interviews with executives in the healthcare industry with IT security responsibilities between January 28 and February 15, 2008. The estimated margin of error among this audience is ±8 percentage points at the 95 percent confidence interval. The stratified sample included health care providers, health plans, pharmaceutical benefits managers, manufacturers of pharmaceuticals, biotech and medical supply or devices, wholesale distributor, retailer or mail order pharmacies and information networks, clearinghouse or data exchanges.

An executive summary and the full survey report are available online.