Mar 3, 2008

DALLAS—March 3, 2008—A new survey shows that 96 percent of health information technology (HIT) executives think it is important to have a uniform way for verifying the security of sensitive healthcare information, and 85 percent think it is time for the industry to come together and develop a comprehensive framework that can provide that uniformity. The survey, the first of an annual series commissioned by the Health Information Trust Alliance (HITRUST) and conducted by KRC Research, also shows that more than half of those surveyed are frustrated that there are no standardized practices for complying with HIPAA.

“The results of this survey confirm what we’ve known anecdotally for a long time,” said Daniel Nutkis, CEO of HITRUST. “That there is a substantial need for a common security framework that is created by industry, for industry, and is therefore better able to quickly adapt to changes in technology and business practices as well as to constantly changing threats.”

HIT leaders worry most about loss of customers’ trust if their organization mishandled sensitive information. Minimizing the risk of information theft is the number one benefit that HIT executives think will result from adopting a common set of healthcare information standards and practices, and 77 percent believe a common set of standards and practices would make it easier to obtain necessary funding for information security from top management.

Although 82 percent believe that a common security framework would help their companies’ efforts to secure electronic healthcare information, more than a third of HIT executives do not think there is enough cooperation yet to effectively implement a common set of information security standards, guidelines and practices.

As the volume of electronically shared healthcare information continues to skyrocket, two-thirds of HIT executives agree that a major security breach is inevitable if action is not taken in the security arena. Illustrating one potential cause of this fear: nearly half of executives are very confident in the security of their own companies, yet 74 percent have concerns that their business partners do not have sufficient information security measures in place. This criticism of external partners also supports the growing trend for organizations requiring information security audits of their trading partners.

“None of us wants to think that we’re the ‘weakest link’ in the healthcare information supply chain,” said Frank Grant, Senior Director – U.S. Healthcare at Cisco, which helped to fund the survey. “But, given the numerous different ways that companies store and exchange personal data, sensitive information is inevitably at a higher risk of being compromised, even if unintentionally. A standard framework will help to significantly mitigate that risk and provide healthcare executives with a mutually agreed upon and accepted guideline for more accurate self-assessment and third party accreditation.”

Additionally, respondents expressed concerns if the federal government were to take a leadership role in the development of a common framework for securing sensitive healthcare information. These concerns included the government’s insulation from market forces and worries about the bottom line. Other concerns included the government’s late adoption of new technologies and its bad track record on securing data.

KRC Research conducted 150 telephone interviews with executives in the healthcare industry with IT security responsibilities between January 28 and February 15, 2008. The estimated margin of error among this audience is ±8 percentage points at the 95% confidence interval. The stratified sample included health care providers, health plans, pharmaceutical benefits managers, manufacturers of pharmaceuticals, biotech and medical supply or devices, wholesale distributor, retailer or mail order pharmacies and information networks, clearinghouse or data exchanges.

An executive summary and the full survey report are available at www.hitrustalliance.org. In addition, the survey results will be discussed in detail at the upcoming HITRUST Common Security Framework Summit on April 28 – 29, 2008. More information on the Summit and the HITRUST Common Security Framework is available at www.hitrustalliance.org/summit.

###

About HITRUST
The Health Information Trust Alliance (HITRUST), a private, independent company was created to establish a common security framework that will allow for more effective and secure access, storage and exchange of personal health information. HITRUST is bringing together a broad array of healthcare organizations and stakeholders, who are united by the core belief that standardizing a higher level of security will build greater trust in the electronic flow of information through the healthcare system. For more information on HITRUST and its programs, go to www.hitrustalliance.org.

About KRC Research
Headquartered in Washington, D.C., KRC Research is a leading non-partisan full-service communications research firm. The firm has worked for over 30 years on behalf of corporations, not-for-profits and governments, as well as the PR and marketing agencies that represent them. A unit of the Interpublic Group of Companies (NYSE: IPG), KRC offers the high quality and custom service of a small firm, plus the reach of a global organization. For more information, visit https://www.krcresearch.com.