Most health care vendors earn 'D' in data protection, study finds

Share this article:
HHS CISO talks new threat briefings, alerts for health industry
Fifty-eight percent of vendors scored within the D-range, meaning confidence in the organization's security culture was very low.

A security intelligence report found that 58 percent of health care vendors earned a barely passing grade for their data security and privacy standards.

On Friday, Corl Technologies, an Atlanta company that focuses on vendor security risk management, released a report assessing 150 health care vendors primarily in the U.S., called “The Unlocked Back Door to Healthcare Data.” Corl, which provides a score card rating system for health care organizations, said that 58 percent of vendors scored within the "D" range, meaning confidence in the organizations' security culture was very low.

Factors such as the security and privacy policies of the health care vendors, as well as whether they had a security officer or qualified security team in place, contributed to vendors' scores. Also, security incidents, such as breaches, were taken into consideration.

“We looked at a host of factors and technical considerations and boiled them into a simplified letter grade,” Brian Selfridge, chief strategy officer at Corl Technologies, told SCMagazine.com in a Friday interview.

All of the graded vendors store, process or access protected health care information provided by hospitals or health plans, the report said.

“[The] majority of health care vendors lack minimum security practices, well short of HIPAA standards,” the report added. “Health organizations are often unaware of how many of their vendors have access to protected information.”

The findings come several months after the compliance grace period ended for the HIPAA Omnibus Rule, which formalized many of the statutory changes already made in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act).

A major provision of the updated security rules brought about expanded legal responsibilities for third-party organizations, like health care vendors, handling protected health information.

One amendment to HIPAA legally requires “business associates” of covered entities to comply with security and privacy measures enforced by HIPAA, like breach notifications. In addition, the updated rules expands the definition of a business associate so that any subcontractor that creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered HIPAA-entity, must comply.

In his Friday interview, Selfridge explained that the amended HIPAA rules “put the extra regulatory onus” on health care organizations to watch over third-parties managing sensitive health data, especially since protected information has increasingly moved into the domain of vendors over recent years.

“The regulators have figured it out and put some [security] controls in place. The problem is, the situation hasn't really changed that much and we are seeing a sluggish reaction from the vendors to make progress,” Selfridge said.

The study noted that additional steps, such as pushing vendors to obtain security certifications and to develop risk programs, would help spur improved security.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.