Page 1

The Security of Electronic Health Information Survey

Security of Electronic Health Information

Sponsored by LogLogicPresented by Dr. Larry Ponemon

Webinar: September 30, 2009

About the study

• The purpose of the study is to determine from IT security practitioners in healthcare organizations how secure they believe electronic patient health records are – especially those records stored in databases.

The survey addressed the following topics

• The adequacy of the organization’s approach to the security of health information.

• Senior management’s views about the importance of securing health information.

• How electronic health information is used by the organization.• The database applications that cause the most risk to health

information and the difficulty in securing health information in databases.

• Steps taken to secure health information in databases and their effectiveness.

• The impact of compliance on the security of electronic health information.

How is the above electronic health information used by your organization?

The top five uses

67%

60%58%

54% 53%

0%

10%

20%

30%

40%

50%

60%

70%

80%

Billing & payments Insurance verif ication Marketing &communications

Patient relations Patient care (clinical)

What kinds of database applications cause the most risk to electronic

health information?

1.9

2.5

1.6

0.0

0.5

1.0

1.5

2.0

2.5

3.0

Administrative applications such aspatient scheduling systems

Business applications such as billing andinsurance processing

Clinical applications such as physiciannotes, prescriptions or diagnostic

reports

Each bar represents the average ranking where 3 = highest risk and 1 = lowest risk.

How would you rate the effectiveness of the above mentioned data security measures you

have in-place for securing electronic health information in databases?

19%

24% 25%24%

9%

0%

5%

10%

15%

20%

25%

30%

Very effective Effective Somew hat effective Not effective Unsure

How many of the above data breaches experienced by your organization involved electronic health

information stored in a database?

33%

19%

16%

10%

8%

5%

9%

0%

5%

10%

15%

20%

25%

30%

35%

More than 90% 75% to 90% 50% and 74% 25% and 49% 10 and 24% Less than 10% None

If your organization had a data breach involving the loss or theft of patient health information (say 1,000 or more records), what would this incident cost your

company on a per lost record basis?

6%

9%

19%

30%

10%

3%

12%

0%

5%

10%

15%

20%

25%

30%

35%

Less than $50 $50 to $100 $101 to $150 $151 to $200 $201 to $250 $251 to $300 More than $300

The extrapolated value of a data breach involving EPHI on a per compromised record basis is $211.

Page 10Page 10

Log & Security Management Helps …

» Visibility – Broad Based Monitoring » Access to electronic healthcare records» Database activity monitoring» Creation/deletion of new user accounts» Assigning/changing access rights and privileges» Threat monitoring and incident response» Forensic analysis (immutable audit trail, electronic evidence)

Page 11Page 11

Log & Security Management Helps …

» Control – Real-Time Prevention» Firewall and network policy (re)-configuration» Database firewall – real-time blocking of suspect

transactions» Database security – virtual patch management

Page 12Page 12

CONNECTED HOSPITAL

Employers

Public Health Organizations

Laboratories

Pharmacies ConnectedClinicians

Social Services

Clinics

Emergency / First Responders

Suppliers

Government and Private Payers

Home and Long-Term Care

Hospitals

Monitoring Allows You To “Trust But Verify”

Page 13Page 13

Read The Full Report!

» You can view the entire webcast on demand at:

http://www.loglogic.com/news/webcasts» A full copy of the report is available at:

www.loglogic.com/resources/analyst-reports/ponemon-electronic-health-info-at-risk/

Page 14

Thank You!For more information or to schedule a demo contact us at:

info@loglogic.com