Close this search box.

Managing Healthcare Risk in a Networked World

Independently conducted by Ponemon Institute LLC  |  Sponsored by Michigan Healthcare Cybersecurity Council


A sampling frame of 6,700 individuals from healthcare organizations were selected as participants to this survey. All respondents are familiar with their organizations’ efforts to reduce cybersecurity risks and an average of 61 percent of their time is devoted to information security strategy or tactical planning and response. Table 2 shows 255 total returns. Screening and reliability checks required the removal of 36 surveys. Our final sample consisted of 219 surveys or a 3.3 percent response.

Sample Responses
Sample frame
Total returns
Rejected or screened surveys
Final sample

The chart below reports the respondent’s organizational level within participating organizations. By design, more than half (67 percent) of respondents are at or above the supervisory levels. The largest category at 23 percent of respondents is Manager.

Years of relevant experience in the healthcare industry

1 to 5 years
6 to 10 years
11 to 15 years
16 to 20 years
More than 20 years

Caveats to this study

There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.

  • Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.
  • Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are familiar with their organizations’ efforts to reduce its cybersecurity risk. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a web-based collection method, it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings.
  • Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses.