Almost 80 percent of CIOs are confident in their security prevention measures, response plans and documentation processes, according to the October healthsystemCIO.com SnapSurvey, but follow-up comments paint a different picture. Upon closer examination, it may be more accurate to say CIOs are confident they have taken all reasonable and prudent measures to ensure proper security, but are uncomfortable declaring with absolute certainty their organizations are impenetrable. Additionally, many said they had more work do during the next few months getting their plans up to speed. The majority (67 percent) said they were getting outside help with security audits, but none were able to find firms willing to share in the risk of being wrong.
(SnapSurveys are answered by the healthsystemCIO.com Advisory Panel. To see a full-size version of all charts, click here. To go directly to a full-size version of any individual chart, click on that chart)
- We have done so repeatedly in the past as part of our on-going security plan. We are able to build on that process without a special focus on MU issues.
- We have annual oversight by External Audit, Internal Audit and Compliance.
- We conduct biannual security assessment and penetration testing using an external firm and change the firm every other audit.
- We, of course, have our own proactive internal surveillance and alerting systems that keep an eye on things.
- We have done this for years.
- We have a good information security team, and I’m confident of their ability to preform an effective, acceptable risk assessment.
- We did about 1 year ago and will need to consider a more indepth audit for HITECH.
- We have run periodic outside assessments of our security infrastructure, and will continue to do so.
- Outside companies already have the required process mapped out and can move through the assessment faster than inhouse staff. Also, from an audit perspective, it’s better to have someone from outside assess readiness versus the people who are currently managing readiness.
- We are rarely without an auditor on site. We’ve audited security to the point of exhustion. Changes take time but consultants want to sell, sell, sell!
- In fact, they tend to stay within the bounds of their contracted responsibility and, in the past, have failed to tell us about other issues they noticed — unacceptable, I think.
- They, in fact, have had us sign off stating they have made us aware of any identified risks and kind of put on notice that failure to address the findings and mitigate will further expose the organization.
- The larger firms are very careful to avoid liability.
- That’s a great concept, but I think very few auditing firms will provide much more than an opinion.
- They are advisors. They are not guaranteeing compliance. They are providing guidance on what they have seen in the industry.
- They do guarantee you are compliant, but they will not share any of the risk.
- I haven’t found one yet that is willing to provide any kind of after-support.
- We have established some base on the IP range and scope. Others have established the scope of services with an estimate of hours and a not-to-exceed price.
- Its also a multi-year retainer. They will be back next year to audit compliance with a readiness plan and update with any new regulations.
- Yes, as reqired by HIPAA and related comliance requirements.
- A complete plan, no. A partial plan, yes. The current plan is limited to IS, Administration, PR, Compliance, Security and our Office of Emergency Prep.
- We have a detailed event-management plan.
- No, but we need this.
- We ran a tabletop exercise regarding a security breach with legal, marketing, administration, compliance, and IT.
- Yes, but as the saying goes, “Plans fade when the shooting starts!”
- I am confident, but not sure about how comphrehensive it is.
- We have come a long way, but it is a journey, not a destination.
- Not now, but I will be by end of calendar year.
- Yes, but we won’t really know until we use them.
- Confident, as well as one can be in a world of evolving threats.
- Somewhat. There are still some gaps in our analysis and plan.
- As confident as you can be, given the circumstances. We are doing what we can, where we can. We are taking all the steps that can be expected as reasonable and prudent. We recognize that this does not eliminate risk — only mitigates it to some extent.
- Not yet, but will be in the next 3 months.
- To the best degree possible. Surprises are always a potential, but due diligence has to play a part in the “common sense” test …
- Yes, but only one night at a time.
Share Your Thoughts
You must be logged in to post a comment.