Research from CORL Technologies Reveals Security Lapses in Health Care Sector

By CIOReview | Monday, June 30, 2014
1170
1874
347

ATLANTA, GA: CORL Technologies, provider of Vendor Security Risk Management (VSRM) solutions, has released the results of the first Vendor Intelligence Report rating the security level of vendors in the healthcare industry. The report reveals that the majority of healthcare vendors lack basic security. It shows that more than 58 percent of the companies scored “D” in the grade range measuring the culture of security in the organization. The report highlights that healthcare organizations neglect to hold vendors accountable for meeting minimum acceptable standards or otherwise mitigate vendor-related security weaknesses.

“The average hospital’s data is accessible by hundreds to thousands of vendors with abysmal security practices providing a wide range of services,” says Cliff Baker, CEO, CORL Technologies. “When healthcare and industry organizations don’t hold vendors accountable for minimum levels of security, these vendors establish an unlocked backdoor to sensitive healthcare data.”

The Vendor Intelligence Report from CORL research team is based on the analysis of security related practices for a sample of over 150 vendors providing services to leading healthcare organizations from June 2013 to June 2014. They analyzed the people, process and technical practices of these organizations..

The four key trends and supporting data that emerged from the analysis include:

The Majority Of Healthcare Vendors Lack Minimum Security Practices To Protect Data.

  • 58 percent of vendors scored in the “D” grade range while 8 percent scored “F” in the grade range, meaning there are serious lapses in the culture of security. In fact only 4 percent of vendors scored in the “A” high confidence grade range. 16 percent scored “B” with moderate confidence and 14 percent in the “C” indeterminate confidence grade range.
  • Only 32 percent of vendors have security certifications. Typical certifications include FedRAMP, HITRUST, ISO 27001, SSAE-16, SOC 2 and 3.

Healthcare Organizations Are Unaware Of All The Vendors That Have Access To Their Data.

  • An average hospital’s data is accessible by hundreds to thousands of vendors providing a wide range of services: from business services, consulting, claims processing and education to Electronic Health Record (EHR), healthcare and medical supplies technologies and products to network and security software.

Healthcare Organizations have an Overwhelming Number of Small Vendors to Manage.

  • Over fifty percent of vendors providing services to an average healthcare organization are small to medium sized businesses with less than 1000 employees.
  • According to Symantec’s 2014 Internet Security Threat Report, targeted attacks aimed at Small Businesses accounted for “30 percent of targeted spear-phishing attacks”.

Existing Practices At Healthcare Organizations Do Little To Mitigate Vendor Related Security Weaknesses.

  • Vendor due diligence by healthcare organizations is not aligned with risks. Most healthcare organizations focus due diligence on their largest vendors - yet over half of breaches are attributed to small businesses.
  • In fact most organizations do not have a risk program in place at all and executives are not appropriately made aware of the exposure or efforts to mitigate risk.

“Although the HIPAA Omnibus Rule identifies that the individual actors are responsible in the event of a breach, if it is my organization’s data that is made public, the source does not matter. It was my responsibility to have protected it, so says our customer. We can no longer rely on the actions of others to keep us off the front page,” says Mark Williams, CISSP, CISA, CRISC, CIPP/IT, GIAC and President of the ISSA chapter in Chattanooga.

“We hope to use this information to illuminate gaps and provide recommendations to healthcare organizations and vendors alike that will help improve their risk management processes – and, ultimately, improve their overall security and risk posture,” adds Baker.