HIMSS survey shows heath IT organizations not ready for security compliance

The results of a survey conducted recently by HIMSS and Symantec and reported out this week suggest that a majority of healthcare organizations are not yet able to comply with security and privacy requirements and standards, including those included in the HITECH Act. Interesting findings include the fact that fewer than half of the 196 health IT professional surveyed work for companies that have a formally designated chief information security officer (federal agencies are required to have such an position under FISMA, but there is no such requirement on private sector organizations), and a similar number do not have plans or capabilities to respond to security incidents if they occur. No less surprising but still of concern is the apparent choice of about a third of organizations represented by survey respondents to implement available security technology such as encryption of data in transit. The use of encryption for stored data is still not widespread, which is probably to be expected given the small percentage of health technology vendors who offer this capability (it is of course available in most modern database management systems, but the applications must be able to work with the encryption features of the DBMS). This particular issue has gained greater visibility since the passage of the HITECH Act and implementation of the personal health data breach notification rules, both of which have provide an exception to disclosure requirements if the data subject to a breach is unreadable, unusable, or otherwise indecipherable — in other words, encrypted.