Most health care vendors earn 'D' in data protection, study finds
Fifty-eight percent of vendors scored within the D-range, meaning confidence in the organization's security culture was very low.
A security intelligence report found that 58 percent of health care vendors earned a barely passing grade for their data security and privacy standards.
On Friday, Corl Technologies, an Atlanta company that focuses on vendor security risk management, released a report assessing 150 health care vendors primarily in the U.S., called “The Unlocked Back Door to Healthcare Data.” Corl, which provides a score card rating system for health care organizations, said that 58 percent of vendors scored within the "D" range, meaning confidence in the organizations' security culture was very low.
Factors such as the security and privacy policies of the health care vendors, as well as whether they had a security officer or qualified security team in place, contributed to vendors' scores. Also, security incidents, such as breaches, were taken into consideration.
“We looked at a host of factors and technical considerations and boiled them into a simplified letter grade,” Brian Selfridge, chief strategy officer at Corl Technologies, told SCMagazine.com in a Friday interview.
All of the graded vendors store, process or access protected health care information provided by hospitals or health plans, the report said.
“[The] majority of health care vendors lack minimum security practices, well short of HIPAA standards,” the report added. “Health organizations are often unaware of how many of their vendors have access to protected information.”
The findings come several months after the compliance grace period ended for the HIPAA Omnibus Rule, which formalized many of the statutory changes already made in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act).
A major provision of the updated security rules brought about expanded legal responsibilities for third-party organizations, like health care vendors, handling protected health information.
One amendment to HIPAA legally requires “business associates” of covered entities to comply with security and privacy measures enforced by HIPAA, like breach notifications. In addition, the updated rules expands the definition of a business associate so that any subcontractor that creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered HIPAA-entity, must comply.
In his Friday interview, Selfridge explained that the amended HIPAA rules “put the extra regulatory onus” on health care organizations to watch over third-parties managing sensitive health data, especially since protected information has increasingly moved into the domain of vendors over recent years.
“The regulators have figured it out and put some [security] controls in place. The problem is, the situation hasn't really changed that much and we are seeing a sluggish reaction from the vendors to make progress,” Selfridge said.
The study noted that additional steps, such as pushing vendors to obtain security certifications and to develop risk programs, would help spur improved security.