What's In Your Budget?

by Trish Voss

According to the results of the 2009 HIMSS Security Survey, the majority of organizations are spending less than three percent of their budget on information security. Yes, that’s right, less than three percent. This is remarkable considering three-quarters of the surveyed organizations said they found patient data at risk due to inadequate security controls, policies and processes.

Since the introduction of new regulatory requirements, the survey showed organizations have made little, if any, improvement to the maturity of their security programs. I know hospitals face huge challenges with limited budgets and try to balance their resources to best care for their patients, but there is a lot riding on the security of their patient’s data.

When conducting a quantitative risk analysis, organizations try to numerically determine the probabilities of adverse events and possible loss if the events occur. With data breaches increasing, fines for HIPAA violations up to $1.5 million dollars, and additional resources allocated to enforcing the HIPAA privacy and security rules, I think organizations may want to take a second look at their risk analysis and adjust their security budgets accordingly.