Health Organizations Increasingly Conduct Data Risk Analyses, HIMSS Survey Finds

Bloomberg BNA's Health IT Law & Industry Report brings you concise, comprehensive, and timely news and analysis of the regulatory, legal, and compliance issues surrounding our nation’s...

The percentage of hospitals that conduct data risk analyses has consistently grown over the past five years, with about 90 percent of hospitals undertaking such activities in 2012, according to a Dec. 13 survey from the Healthcare Information and Management and Systems Society.

Likewise, the number of hospitals conducting regular--defined as at least annually--data risk analyses, has grown, according to the 5th Annual HIMSS Security Survey.

More than 70 percent of hospitals participating in the 2012 survey reported performing a risk analysis at least annually, compared to 54 percent in 2008.


About one-quarter of respondents said they had experienced a breach, with most involving fewer than 500 individuals.  


When HIMSS first surveyed health care organizations in 2008 about data security risk mitigation efforts, most respondents were hospitals. However, a growing number of survey participants represent physician practices.

Data risk analyses among physician practices was lower--65 percent--than among hospitals in 2012, according to the survey findings.

While hospitals and physician practices are more likely to conduct data analyses, fewer than half of respondents had tested their data breach response plan and about two-thirds had conducted audits of their IT security plans.

In both cases, hospitals were more likely than physician practices to have done the testing and audits.

The survey also found that health care organizations increasingly are giving patients electronic access to their data, but have done little over the past five years to increase their efforts to collect information in audit logs about patient access to electronic records. By contrast, most health care organizations have audit logs that collect information about clinicians and non-clinic employees who access electronic data.

Survey respondents reported, overall, having fewer medical identity theft cases involving their organizations in the past five years. In 2008, 20 percent of survey participants said they had at least one medical identity theft case, compared to 11 percent in 2012.

For the first time the survey asked about data breaches. About one-quarter of respondents said they had experienced a breach, with most involving fewer than 500 individuals. A majority of those organizations also said they notified patients about the breaches.

By Kendra Casey Plank  

The survey is available at