14 DAY TRIAL // Data protection practices from 150 healthcare vendors have been analyzed in a study, which found that 58% of them relied on systems presenting security breach risks that could lead to losing sensitive information.
The Vendor Intelligence Report from CORL Technologies, a provider of Vendor Security Risk Management (VSRM) solutions, focused on vendors that store, process or access healthcare information provided by hospital units and health plans.
The report states that the majority of the companies in the healthcare business that have been included in the survey do not meet the minimum standards established by the HIPAA (Health Insurance Portability and Accountability Act).
CORL Technologies has discovered that, in many cases, the healthcare organizations do not know the number of vendors that have access to the health information on their systems and that the efforts to increase the security of the information are minimum.
Furthermore, the vendors are not held responsible for the low security standards they enforce, and in as much as 68% of the cases, there are no security certifications from third-party entities to guarantee the safety of the data.
Such an entity is HITRUST (Health Information Trust Alliance), which has established the Common Security Framework (CSF) together with healthcare, business, technology and information security organizations.
The framework provides scalable security controls to help healthcare organizations mitigate privacy and security risks regarding sensitive information.
“An average hospital’s data is accessible by hundreds to thousands of vendors providing a wide range of services,” says the report. These include business services (legal, accounting, data destruction, revenue cycle, business process outsourcing), consulting, (healthcare process, IT and security), healthcare technologies, medical devices and supplies, hosting services, network development and management, and security software.
“When healthcare and industry organizations don't hold vendors accountable for minimum levels of security, these vendors establish an unlocked backdoor to sensitive healthcare data,” says Cliff Baker, CORL Technologies CEO.
CORL Technologies found that the majority of the healthcare organizations tend to neglect the smaller companies involved in the business and focus on the largest vendors; however, statistics show that more than half of the security breaches target the systems of small vendors in order to get to the bigger ones.
The Vendor Intelligence Report analyzed security-related practices of healthcare vendors that provided services to major healthcare organizations from June 2013 to June 2014. As a result of the study, the participating companies received scorecards based on the technical practices for data loss mitigation.
Most of them (58%) were graded with “D,” which stands for “lack of confidence based on demonstrated weaknesses with vendor’s culture of security.”
The poorest mark, “F” (no confidence to protect information) was received by 8% of the analyzed companies and only 4% were graded with “A” because they presented high confidence of a strong culture regarding security practices.