Healthcare InfoSec Survey Results DebutMost Healthcare Organizations Lack a Documented Strategy
Less than half of healthcare organizations participating in the third annual Healthcare Information Security Today Survey say their organization has a documented information security strategy in place. But a sizable majority say their organization conducted a risk assessment in 2013.
See Also: HIPAA Audits: A Revised Game Plan
A free webinar available beginning March 24 will offer a summary of the results plus an analysis by a panel of experts. An in-depth report on the complete survey results will be available on HealthcareInfoSecurity.com, under the resources section, in the coming weeks.
"I believe the survey accurately reflects what is happening in the healthcare industry, where improvements are being made, with some areas performing better than others," says panelist Brian Evans, principal security and privacy consultant at Tom Walsh Consulting. "But overall, we're still not where we need to be from an information security maturity perspective."
Panelist Bob Chaput, CEO at Clearwater Compliance, notes: "Rather than a systematic, more architected approach to risk management, there seems to be an awful lot of focus on controls rather than, at the very beginning of the journey, information assets."
And Michael Bruemmer, vice president at Experian Data Breach Resolution, points out that paying inadequate attention to information security can prove costly. "We have data that suggest that responding without a risk assessment or a data breach response plan to a security incident actually costs companies 25 percent more," he notes.
Key Survey Findings
Among other key survey findings:
- 75 percent of those surveyed say their organization has a detailed plan in place to comply with the HIPAA Omnibus Rule;
- About 60 percent say they have instituted the new "four factor" approach to assessing a data breach to determine whether notification is required, as spelled out in HIPAA Omnibus Rule;
- A third say their budgets for information security will increase this year;
- Improving regulatory compliance and improving security education are the top two information security priorities for the year ahead;
- Audit tools and e-mail encryption are the top technologies that organizations plan to implement in 2014.
The survey of about 200 senior executives at hospitals, integrated delivery systems, clinics, health plans and other healthcare organizations, conducted online earlier this year is sponsored by (ISC)Â², a not-for-profit membership body of certified information and software security professionals.
Sponsors of the webinar are Experian Data Breach Resolution and Clearwater Compliance.
Registration for the free event is now available.