Preliminary results of our inaugural Healthcare Information Security Today survey, which is still open for participation, show that only about half of healthcare organizations have a plan in place to comply with the HITECH Act breach notification rule. In addition, about 39 percent rate their ability to counter security threats as poor, failing or in need of improvement. And 25 percent have yet to conduct a detailed risk analysis.
Remember, healthcare organizations are obligated to comply with the interim final breach notification rule, even though it's slated to be replaced by a final version soon. So don't let that "interim final" title fool you. The rule is in effect, and your organization should have a breach notification plan in place to help ensure compliance.
Preliminary results of our inaugural Healthcare Information Security Today survey show that only about half of healthcare organizations have a plan in place to comply with the HITECH Act breach notification rule.
A final version of the rule is expected later this year as part of an "omnibus" package of several rules (see: HITECH Mandated Regs Still in Works). The interim final version contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.
We'll have to wait and see whether that harm standard is modified or removed from the final version of the rule. Some members of Congress and privacy advocates have called for federal regulators to require that all breaches be reported, not just those with a significant risk of harm. We're hoping that regulators, at the very least, greatly clarify the standard. That could help make compliance easier.
In the meantime, is your organization prepared to notify patients and regulators of a breach if you learn of one tomorrow? And, equally important, are you taking all the necessary steps to prevent breaches?
Participate in SurveyOur ongoing survey is designed to assess organizations' security efforts, including their breach prevention strategies. But time is running out to participate, so don't miss out on this opportunity. By taking a few minutes to fill out the survey, you'll help us provide you with a detailed analysis of the status of healthcare information security, which you can then use to compare your organization's efforts with others and gain insights that you can apply to your security program.
In the weeks ahead, we'll present the final survey results in a variety of ways, including an executive summary, annotated report, interviews and a webinar.