The study does not say what methodology is followed when conducting risk analysis, whether it relates to the guidance provided and who actually conducted the risk analysis. Of more importance, though, the study shows that those organizations doing risk analysis are identifying and resolving gaps in their security, and it rightfully points out those that haven't won't achieve meaningful use.
What the study also unfortunately does not tell us is anything regarding the huge risk that business associates pose to healthcare entities. Admittedly, this was not the focus of this study, but it is and has been the focus of much discussion around healthcare for some time. A good percentage of the breaches reported to HHS' civil rights office have involved or been the result of mismanagement of data by business associates.
Business associates are responsible for being compliant with HIPAA and HITECH security requirements in their own right, but the question is, how many of them have conducted their risk assessments? More importantly, how many of those organizations receiving and processing protected health information on behalf of hospitals and medical practices have adequate security, and who is measuring this?
CEOCynergisTekAustin, TexasChairmanHIMSS Privacy & Security Steering Committee