Only 29 percent of healthcare organizations reporting having a comprehensive security program in place, and among those that do not have such a program, 31 percent are either not meeting with their executive committee or are meeting less than once a year to give security updates.

According to CHIME’s 2018 Health-Care’s Most Wired report, the maturity of a healthcare enterprise’s security program impacts its capabilities and protocols. For example, enterprises with a comprehensive security program are more likely to support critical security measures like data-loss prevention, BYOD management, database monitoring, provisioning systems, log management and adaptive risk-based authentication for network access.

Most organizations seem prepared for disasters to strike; 68 percent estimate that if a disaster caused complete loss of their primary data center, they could restore operations within 24 hours for their clinical, financial, supply chain management, and human resources and staffing systems. Regarding the adoption of 10 components critical to an incident response plan (see graphic), 26 percent of organizations have all 10, with the most adopted including documented EHR-outage procedures, security/privacy breach notification procedures and at least annual tabletop exercises.