Blog
HIPAA
2017 HIPAA Survey Results

2017 HIPAA Survey Results

How did organizations do with HIPAA compliance in 2017? Here are the results along with major takeaways to help you with your own HIPAA compliance efforts.

Updated
December 6, 2022
Posted
January 12, 2018
HIPAA
Penetration Testing
Security Tools
2017 HIPAA Survey Results

Find out how organizations did with HIPAA compliance in 2017

In 2017, we conducted 4 surveys of over 300 healthcare professionals from organizations of all sizes, primarily from those with less than 500 employees. We included the results in our 2018 Guide to HIPAA Compliance. Data from these surveys can help security experts and practices alike decide on which areas to focus their HIPAA resources.

So how did organizations do with HIPAA compliance in 2017? Here are the results along with major takeaways to help you with your own HIPAA compliance efforts:

Physical Security

When it came to the physical security of HIPAA-compliant data in 2017, at least 20% of respondents reported that their organizations did not use automatic timeouts or log outs on workstations. Also notable was the fact that at least 20% of respondents reported their organizations did not encrypt stored electronic protected health information. Organizations did well in the area of providing unique ID credentials for each employee—with 94% reporting that they followed this requirement.

Organizations have automatic timeouts/log outs on workstations

  • Yes: 78%
  • No: 20%
  • Don't know: 2%

Takeaway: All workstations need to have an automated timeout/log out (i.e., a password-protected screensaver enabled after a time of disuse.

Employees that have unique ID credentials

  • Have unique ID credential: 94%
  • Share credentials: 6%

Takeaway: All employees should have their own login IDs and passwords for computer, software, and physical access.

Organizations encrypt stored electronic protected health information

  • Yes: 78%
  • No: 20%
  • Don’t know: 2%

Takeaway: If you store any ePHI, you need to make sure that it has been properly encrypted (e.g., using AES-256 encryption).

HIPAA Firewalls

Network firewalls (both physical and virtual) are vital to HIPAA compliance. 31% of our respondents reported using both. Most organizations we surveyed opted for a managed firewall —a move that can help practices with large or complex networks.

Types of firewalls organizations use

  • Hardware firewall: 20%
  • Software firewall: 18%
  • Both: 31%
  • Don’t know: 31%

Takeaway: All networks (whether small or large) need both a hardware and software firewall.

Network firewall(s) managed by a security professional or third-party

  • Third party vendor: 74%
  • In-house security professional: 10%
  • Don’t know: 16%%

Takeaway: Though not required, managed firewall(s) can help organizations with complex firewall rules and firewall management.

How often firewall rules are reviewed

  • At least weekly: 13%
  • At least monthly: 16%
  • At least quarterly: 16%
  • At least yearly: 10%
  • Don’t know: 45%

Takeaway: A security professional should regularly review your firewall rules (e.g., at least quarterly).

Organizations designate the following individuals to respond to firewall notifications (e.g, logs, alerts)

  • Yes, a third-party vendor: 70%
  • Yes, in-house security professional: 12%
  • No-one: 8%
  • Don't know: 10%

Takeaway: HIPAA requires that organizations enable logging and log alerting on critical systems (e.g., un-authorized connection attempt).

Organizations allow the following individuals to remote access into their network

  • Employees: 36%
  • Another healthcare entity: 2%
  • Third-party vendor: 26%
  • Don't allow remote access: 29%
  • Don’t know: 7%

Takeaway: If you use remote access, make sure to implement adequate security, such as multi-factor authentication and proper firewall configuration.

Organizations require multi-factor authentication for remote access to patient data

  • Yes: 26%
  • No: 40%
  • Don’t know: 34%

Takeaway: If you use remote access, make sure to implement adequate security, such as multi-factor authentication.

Penetration Testing

This type of white-hat hacking is one of the best ways to find network vulnerabilities. Organizations should make sure that pen testers are qualified and vetted, and should perform a variety of penetration tests—to help prevent wasting time and money.

Organizations perform penetration tests

  • Yes: 26%
  • No: 16%
  • Don’t know: 58%

Takeaway: To protect against cyber-attacks, penetration testing is vital to network security.

Penetration tests performed by a security professional or third-party

  • In-house security professional: 2%
  • Third-party vendor: 22%
  • Don't perform penetration tests: 10%
  • Don’t know: 66%

Takeaway: Whether a penetration test is performed by an in-house security professional or third-party vendor, make sure they are qualified.

How often organizations perform penetration tests

  • Every other year: 2%
  • Annually: 6%
  • Yearly and after major network changes: 4%
  • After major network changes: 2%
  • Never: 8%
  • Don’t know: 78%

Takeaway: Organizations should regularly perform penetration tests (e.g., yearly).

Organizations perform the following type(s) of penetration tests

  • Network penetration test: 10%
  • Segmentation check: 0%
  • Application penetration test: 0%
  • Wireless penetration test: 0%
  • Social engineering assessment: 0%
  • Don't perform penetration tests: 12%
  • Don't know: 78%

Takeaway: Organizations should perform a variety of penetration tests to confirm their network security.

HIPAA Security Tips

Here are a few things to keep in mind for HIPAA compliance:

  • Train employees at least quarterly: if you have an IT team, let them participate in a few trainings to help familiarize all employees and staff with HIPAA compliance and PHI security
  • Get expert help: it’s a good idea to consult HIPAA Compliance and Security Assessors and other security experts to help your organization with areas of concern
  • Do security testing: hire penetration testers and ethical social engineers to test your systems and your employees

Need help with HIPAA? Check out our 2018 Guide to HIPAA Compliance and contact us with any questions.

Join thousands of security professionals.

Subscribe Now

Get the Guide to HIPAA Compliance

Download

Get a Quote for HIPAA Compliance

Request a Quote
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000