Most health care vendors earn 'D' in data protection, study finds

Share this article:
HHS CISO talks new threat briefings, alerts for health industry
Fifty-eight percent of vendors scored within the D-range, meaning confidence in the organization's security culture was very low.

A security intelligence report found that 58 percent of health care vendors earned a barely passing grade for their data security and privacy standards.

On Friday, Corl Technologies, an Atlanta company that focuses on vendor security risk management, released a report assessing 150 health care vendors primarily in the U.S., called “The Unlocked Back Door to Healthcare Data.” Corl, which provides a score card rating system for health care organizations, said that 58 percent of vendors scored within the "D" range, meaning confidence in the organizations' security culture was very low.

Factors such as the security and privacy policies of the health care vendors, as well as whether they had a security officer or qualified security team in place, contributed to vendors' scores. Also, security incidents, such as breaches, were taken into consideration.

“We looked at a host of factors and technical considerations and boiled them into a simplified letter grade,” Brian Selfridge, chief strategy officer at Corl Technologies, told SCMagazine.com in a Friday interview.

All of the graded vendors store, process or access protected health care information provided by hospitals or health plans, the report said.

“[The] majority of health care vendors lack minimum security practices, well short of HIPAA standards,” the report added. “Health organizations are often unaware of how many of their vendors have access to protected information.”

The findings come several months after the compliance grace period ended for the HIPAA Omnibus Rule, which formalized many of the statutory changes already made in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act).

A major provision of the updated security rules brought about expanded legal responsibilities for third-party organizations, like health care vendors, handling protected health information.

One amendment to HIPAA legally requires “business associates” of covered entities to comply with security and privacy measures enforced by HIPAA, like breach notifications. In addition, the updated rules expands the definition of a business associate so that any subcontractor that creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered HIPAA-entity, must comply.

In his Friday interview, Selfridge explained that the amended HIPAA rules “put the extra regulatory onus” on health care organizations to watch over third-parties managing sensitive health data, especially since protected information has increasingly moved into the domain of vendors over recent years.

“The regulators have figured it out and put some [security] controls in place. The problem is, the situation hasn't really changed that much and we are seeing a sluggish reaction from the vendors to make progress,” Selfridge said.

The study noted that additional steps, such as pushing vendors to obtain security certifications and to develop risk programs, would help spur improved security.

Share this article:

Sign up to our newsletters

More in News

Op Emmental spoofs bank sites, uses Android malware to maintain account access

Op Emmental spoofs bank sites, uses Android malware ...

On Tuesday, Trend Micro released a report detailing Operation Emmental, which targets victims in Austria, Switzerland, Sweden and Japan.

Goodwill investigates compromise of credit, debit card info

Credit card and debit card data may have been compromised at several Goodwill locations around the country.

Vice.com hacked, possibly The Wall Street Journal website too

Vice.com hacked, possibly The Wall Street Journal website ...

A reported Russian hacker group known as W0rm tweeted on Monday that it had hacked Vice.com and The Wall Street Journal website.