• 92 percent of organizations conduct a formal risk analysis.
• 54 percent of organizations report having a tested data breach response plan; 63 percent of these organizations test their plan annually.
• 93 percent of organizations indicate their organization is collecting and analyzing data from audit logs.
• Healthcare organizations are using multiple means of controlling employee access to patient information; 67 percent of survey respondents use at least two mechanisms, such as user-based and role-based controls, for controlling access to data.

• Organizations reported an average score of 4.35 with regard the maturity of their security environment (where one is not at all mature and seven is highly mature).
• Nearly half of the survey's responding organizations are still spending 3 percent or less of their overall IT budget on security initiatives that will secure patient data.
• 52 percent of the hospital-based respondents reported that they had a CSO, CISO or other full-time leader in charge of security of patient data.

Although HIMSS data suggests modest improvements in several areas, according to a 2014 breach report by healthcare IT security firm Redspin, the breach numbers are a bit more salient. Using data from the Department of Health and Human Services, their calculations show HIPAA data breaches -- which include both privacy and security violations -- have actually increased 138 percent from last year, and since 2009 some 29.3 million people have had their medical records stolen, inappropriately accessed, hacked or reported missing.