While less than one quarter of CIOs surveyed in healthsystemCIO.com’s June SnapSurvey feel security ranks among their strengths, 40 percent place their organisation’s security maturity at either the highest level (optimized) or just below (measured). Perhaps that’s because almost 60 percent are supported in those efforts by a CISO, and sure are happy about it.
As far as how they feel about the current security environment, almost half (47 percent) feel it is “appropriate,” despite being heavily audited — just over three quarters have been through either a Meaningful Use or HIPAA/OCR audit at least once, while almost half have been through one type of audit multiple times.
(SnapSurveys are answered by the healthsystemCIO.com CIO Advisory Panel. To go directly to a full-size version of any individual chart, click on that chart.)
Where would you rank your organization’s security maturity? (The choices are listed from lowest to highest maturity levels)
- This is an area that, before I arrived, was not a priority. The fact that we have not had a major breach is just pure luck.
- We actually are between measured and optimized. All relevant tools have been implemented (SEIM, DLP, IDS) policies updated, education ongoing and security firm retained for regular audits and guidance.
Do you consider security one of your particular strengths as a CIO?
- Yes, because CIOs get fired for breaches and not being as prepared as the organization could be. There is a fine line between enough and too much in this area.
- I have stayed very close to our program as it relates to HITECH and HIPAA requirements.
I’m probably about average
- IT Security has become a very specialized role and one that I feel will need to specialized even more moving forward.
Does your organization have a Chief Information Security Officer?
Yes and I think it’s a good thing
- The position reports to me but in the past year we had to make this someone’s full time job. Previously it was covered as part of the assistant director’s duties.
- It is an absolute necessity. Someone needs to be focused on this 24X7. If an audit occurs, you’ll wish you had one.
No, but we are fine without one
- We are part of an academic institution, and the University insists the CISO position belongs at the University level and not the health care level.
- We are a small organization with 30 IT staff. I double as CIO/CISO. I have a person running the security program as more of an internal auditor.
No, but we need one
- As the HIPAA designated Security “Official” I fill the role and have created a security “coordinator” to perform the day-to-day tasks required of this role. I feel we need a specialized, certified SO to complement the other IS leadership roles.
- This something we will add soon.
Have you been through any of the following?
What do you think of the current security/compliance environment?