A survey of 166 US health information security professionals. Discusses the prevalence of significant security events (primarily e-mail based), positive advances in healthcare security, the threat of complacency when managing programs, and area where there are control gaps.