Physician practices step up data security budgets

The boosts are a result of federal mandates to conduct regular security assessments that help identify vulnerabilities.

By — Posted Dec. 31, 2012

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Most health care organizations, including physician practices, have increased their privacy and security budgets during the past five years and are conducting risk assessments more frequently, according to a new survey from the Healthcare Information and Management Systems Society.

The HIMSS survey, which was conducted with the help of the MGMA-ACMPE, the professional organization for medical group practice managers, found that more than half of the organizations had increased their information technology budgets and resources because of federal initiatives. These include the meaningful use incentive program and the move to HIPAA 5010, a new standard that regulates electronic transmissions of specific health care transactions.

Even with the increase, 47% reported that their privacy and security budgets represented 3% or less of their overall information technology budget. The survey covered 335 organizations, 55% of which were physician practices.

Most respondents remained in the 1%-to-3% range, where they have been for the past four or five years, said Lisa Gallagher, senior director of privacy and security for HIMSS. But several organizations crept into the 4%-to-6% range.

Gallagher said that compared with other industries, which spend 5% to 8% of information technology budgets on security, the budgets of those in the survey are low. Any move upward is “the best we can expect,” she said.

Rob Tennant, senior policy adviser with MGMA-ACMPE, said there really is no set percentage that organizations should shoot for, because there is no one-size-fits-all formula. The most important thing, he said, is that the survey showed an increased emphasis on security.

The survey found that 77% of the organizations conduct a formal risk analysis to evaluate ways in which patient data might be put at risk. Although this number was consistent with survey results from 2008, which showed that 78% conducted a risk analysis, the frequency at which they are conducted has increased. Sixty-four percent conduct them on an annual basis, up from 54% that said they did them annually in 2008.

Not only are these security assessments required under federal regulations, including the new requirements for the Health Insurance Portability and Accountability Act that went into effect under the Health Information Technology for Economic and Clinical Health Act of 2009, but they also are necessary given the change to the health care landscape, Tennant said. Because more of medicine has gone mobile, there are more places where data are stored, and from where they potentially can be lost.

Gallagher said future surveys will parse out how outsourcing information technology needs may affect a practice's security budget. Many small practices don't have the resources to hire dedicated technology staff and tend to use cloud-based solutions, which means there are no in-house servers that need constant maintenance.

“If we are seeing significant outsourcing of IT functions … that may be affecting the budget in ways we don't understand,” Gallagher said.

Tennant said practices that outsource their technology needs should develop their own policies and procedures on privacy and security. That involves someone in the practice taking on the role of security officer.

Free resources are available online that help practices conduct their own risk analysis instead of hiring someone to do it for them. Budgets must include the purchase of systems that will keep data secure, such as encryption software, malware and firewalls.

64% of health care organizations conduct an annual risk analysis of patient data security.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn