Healthcare organizations aren't prepared to meet privacy and security standards associated with the American Recovery and Reinvestment Act, according to a new survey.

The survey of 196 healthcare information technology and security professionals, conducted by the Healthcare Information and Management Systems Society and sponsored by Symantec Corp., a Mountain View, Calif.-based developer of security, storage and systems management solutions, indicated healthcare organizations aren't using available security technologies to keep patient data safe. Reasons given include stretched budgets and lack of a chief security officer (CSO) or chief information security officer (CISO).

Approximately 60 percent of respondents said their organization spends 3 percent or less of their organization's IT budget on information security. This is consistent to the level of spending identified in the 2008 HIMSS study. And fewer than half of the respondents said their organization has a formally designated CISO or CSO.

"Although awareness about these issues is high, many providers have not yet made significant moves to the address these concerns," said David Finn, Symantec's health IT officer.

For example, respondents said they're using firewalls and user access controls but aren't implementing all available technologies to secure data. Only 67 percent use encryption to secure data in transmission, and fewer than half encrypt stored data.

Three-quarters of the organizations that conducted risk assessments found patient data at risk due to inadequate security controls, policies and processes, but only half said their organization had a plan in place for responding to threats or incidents related to a security breach.

"Healthcare organizations must approach all IT activities, including data security, with effective management and efficient use of their budgets, staff and technologies," said Lisa Gallagher, HIMSS' senior director of privacy and security. "IT and security professionals must recognize the need for securing patient data by using available technologies and preparing for compliance with current ARRA laws and future regulations. This complex operating environment, as well as our national goals for health IT, demands such action to ensure quality, safety and improved healthcare delivery."