Healthcare InfoSec Survey Results Debut

Most Healthcare Organizations Lack a Documented Strategy
Healthcare InfoSec Survey Results Debut

Less than half of healthcare organizations participating in the third annual Healthcare Information Security Today Survey say their organization has a documented information security strategy in place. But a sizable majority say their organization conducted a risk assessment in 2013.

See Also: Securing Healthcare with Limited Time and Resources

A free webinar available beginning March 24 will offer a summary of the results plus an analysis by a panel of experts. An in-depth report on the complete survey results will be available on, under the resources section, in the coming weeks.

"I believe the survey accurately reflects what is happening in the healthcare industry, where improvements are being made, with some areas performing better than others," says panelist Brian Evans, principal security and privacy consultant at Tom Walsh Consulting. "But overall, we're still not where we need to be from an information security maturity perspective."

Panelist Bob Chaput, CEO at Clearwater Compliance, notes: "Rather than a systematic, more architected approach to risk management, there seems to be an awful lot of focus on controls rather than, at the very beginning of the journey, information assets."

And Michael Bruemmer, vice president at Experian Data Breach Resolution, points out that paying inadequate attention to information security can prove costly. "We have data that suggest that responding without a risk assessment or a data breach response plan to a security incident actually costs companies 25 percent more," he notes.

Key Survey Findings

Among other key survey findings:

  • 75 percent of those surveyed say their organization has a detailed plan in place to comply with the HIPAA Omnibus Rule;
  • About 60 percent say they have instituted the new "four factor" approach to assessing a data breach to determine whether notification is required, as spelled out in HIPAA Omnibus Rule;
  • A third say their budgets for information security will increase this year;
  • Improving regulatory compliance and improving security education are the top two information security priorities for the year ahead;
  • Audit tools and e-mail encryption are the top technologies that organizations plan to implement in 2014.

The survey of about 200 senior executives at hospitals, integrated delivery systems, clinics, health plans and other healthcare organizations, conducted online earlier this year is sponsored by (ISC)², a not-for-profit membership body of certified information and software security professionals.

Sponsors of the webinar are Experian Data Breach Resolution and Clearwater Compliance.

Registration for the free event is now available.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.