Security is the number-one area of investment for health IT departments in 2015, according to TechTarget’s annual health IT purchasing intentions survey (infographic).
The survey reached 347 IT professionals in hospitals, insurance providers, and other healthcare organizations to ask how they plan to spend their money.
Though not a scientific poll, the data provide a good indication of where health IT pros will invest this year.
Here’s what they said:
Health IT security is a priority
Security topped the list of investment priorities. Nearly half (46%) of respondents said they plan to buy new or upgraded security technology in 2015.
For those planning to spend on security, their top areas of concern are listed in the chart below.
One of the many reasons for this emphasis is the increasing number of security breaches in health IT.
In February, health insurance provider Anthem (formerly WellPoint) notified its members of a major data breach on its systems. Affecting up to 80 million records, it’s the largest attack in the industry’s history, according to the New York Times.
Hackers are targeting hospitals, insurers, and other healthcare groups due to the high value of their data on the black market, according to the Times. Attacks on healthcare networks are expected to rise this year.
Security concerns: authentication
Authentication is the number-one security concern, cited by 55% of respondents who will spend on security. This is likely due to HIPAA compliance challenges as well as health IT security in general.
HIPAA requires organizations to authenticate electronic protected health information (ePHI) to ensure it has not been inappropriately altered or destroyed. This can be done with checksum verification or digital signatures (you can learn more in this compliance guide).
HIPAA also requires authentication of people and entities who access ePHI. This is to ensure that those who access the data are who they claim to be.
According to the HIPAA Security Series from the Department of Health and Human Services, a covered entity has several options for authentication:
- Require something known only to an individual, such as a password.
- Require something the individual possesses, such as a card, token, or key.
- Require something biometrically unique to the individual, such as a thumbprint.
Security concerns: encryption
More than half or respondents (53%) also cited encryption as a major concern in health IT security.
HIPAA does not require organizations to encrypt sensitive data, but it does encourage the practice. Some have criticized the lack of a requirement as increasing exposure to threats like hackers.
Given the recent data breaches at major healthcare organizations, it’s not too surprising that IT departments are thinking beyond HIPAA compliance to secure their data.
Some have even suggested that encryption may have helped prevent Anthem’s record-breaking data breach had it been in place. Others, however, said encryption would not have helped in Anthem’s case since the information was accessed with stolen user credentials.
Security focus extends to mobile
Mobile technology in healthcare is exploding and health IT teams are continuing to invest.
For those who are buying, mobile apps topped the list of areas of focus with 69% of respondents. Mobile devices are another key focus with two-thirds of respondents looking there.
In a separate HIMSS survey from last year, 69% of providers said they use a mobile device to view patient information and 36% use mobile technology to collect data at the bedside.
The growth in mobile technology and use is increasing exposure of ePHI to security threats. This, in turn, drives greater investments in mobile security.
Among respondents to the TechTarget survey who plan to invest in mobile technology, 61% say mobile security is a focus for their 2015 investments.
Top 5 Health IT Investment Areas for 2015 – TechTarget