Most Healthcare Vendors Lack Minimum Security Measures

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://news.softpedia.com/news/Most-Healthcare-Vendors-Lack-Minimum-Security-Measures-448803.shtml

The Vendor Intelligence Report from CORL Technologies, a provider of Vendor
Security Risk Management (VSRM) solutions, focused on vendors that store,
process or access healthcare information provided by hospital units and
health plans.

The report states that the majority of the companies in the healthcare
business that have been included in the survey do not meet the minimum
standards established by the HIPAA (Health Insurance Portability and
Accountability Act).

CORL Technologies has discovered that, in many cases, the healthcare
organizations do not know the number of vendors that have access to the
health information on their systems and that the efforts to increase the
security of the information are minimum.

Furthermore, the vendors are not held responsible for the low security
standards they enforce, and in as much as 68% of the cases, there are no
security certifications from third-party entities to guarantee the safety
of the data.

Such an entity is HITRUST (Health Information Trust Alliance), which has
established the Common Security Framework (CSF) together with healthcare,
business, technology and information security organizations.

The framework provides scalable security controls to help healthcare
organizations mitigate privacy and security risks regarding sensitive
information.

“An average hospital’s data is accessible by hundreds to thousands of
vendors providing a wide range of services,” says the report. These include
business services (legal, accounting, data destruction, revenue cycle,
business process outsourcing), consulting, (healthcare process, IT and
security), healthcare technologies, medical devices and supplies, hosting
services, network development and management, and security software.

“When healthcare and industry organizations don't hold vendors accountable
for minimum levels of security, these vendors establish an unlocked
backdoor to sensitive healthcare data,” says Cliff Baker, CORL Technologies
CEO.

CORL Technologies found that the majority of the healthcare organizations
tend to neglect the smaller companies involved in the business and focus on
the largest vendors; however, statistics show that more than half of the
security breaches target the systems of small vendors in order to get to
the bigger ones.

The Vendor Intelligence Report analyzed security-related practices of
healthcare vendors that provided services to major healthcare organizations
from June 2013 to June 2014. As a result of the study, the participating
companies received scorecards based on the technical practices for data
loss mitigation.

Most of them (58%) were graded with “D,” which stands for “lack of
confidence based on demonstrated weaknesses with vendor’s culture of
security.”

The poorest mark, “F” (no confidence to protect information) was received
by 8% of the analyzed companies and only 4% were graded with “A” because
they presented high confidence of a strong culture regarding security
practices.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!