Skip to content Skip to navigation

Survey: Most Vendors Not Prepared to Comply with Data Protection Standards

October 10, 2016
by Heather Landi
| Reprints

Two thirds of healthcare industry vendors report they are not prepared to comply with the Health Information Trust Alliance’s (HITRUST) healthcare data protection standards, despite ongoing concerns about cyber security as it relates to healthcare information, according to a recent survey by New York City-based audit, tax and advisory firm KPMG.

There is no legal requirement mandating that organizations comply with the HITRUST standard or SOC 2—a separate data protection standard set by the American Institute of Certified Public Accountants (AICPA). The HITRUST Common Security Framework (CSF) is a privacy and security framework for organizations who create, maintain, transmit or receive PHI to assess the level of readiness and soundness of their control environment.

“An increasing number of healthcare organizations are requiring their vendors to demonstrate controls for securing PHI (protected health information) to manage their cyber and regulatory risks, especially since healthcare information is a rich target for hackers,” Emily Frolick, third-party risk and assurance leader for KPMG’s Healthcare practice, said in a statement. “These vendors are able to accomplish this through a SOC 2 + HITRUST CSF examination or a HITRUST CSF Certification, both of which enable vendors to communicate their good faith effort to protect patient information.”

“Neither is mandatory under current law, but the marketplace wants to reduce risks tied to cybersecurity with third-party assurances concerning their data protection efforts,” Frolick said.

KPMG polled 600 healthcare industry vendors, or business associates, during a KPMG webcast and found that half of those surveyed reported that were “not ready” for a HITRUST CSF assessment. Additionally, 17.4 percent of respondents said they were in the planning stages for a HITRUST CSF assessment.

Regarding the progress that organizations have made to address HITRUST CSF requirements, only 7 percent reported that they were completely ready, and 8 percent described their organization as “well along with implementation.” The reminder, 17 percent, said they were in the early stages of implementing the plan for a HITRUST CSF assessment.

The survey results come at a time when the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has demonstrated heightened scrutiny of healthcare organizations and their business associates to assess compliance with HIPAA privacy, security and breach notification rules. In the past year, OCR has penalized healthcare organizations and their vendor partners with large fines for potential HIPAA privacy violations. Oregon Health and Science University agreed to a $2.7 million settlement and OCR alleges it found that OHSU stored over 3,000 individuals’ electronic PHI in a cloud computing system without any business associate agreement with the cloud computing vendor.

And, as reported by Healthcare Informatics, a recent study by Protenus and DataBreaches.net found that 30 percent of breaches and 30 percent of breached records reported to the HHS public breach portal are a direct result of third parties. In fact, the study authors contend that based on data form HHS, the 193 breach incidents that occurred through August 2016 impacted 12,801,481 patients. Based on an analysis by Protenus and DataBreaches.net, there were at least 4.5 million patients affected by a breach involving a third party vendor or business associate, for a mean of 79,008 patients or records per incident.

In the KPMG survey, respondents reported that staffing was the biggest barrier to HITRUST CSF readiness, cited by 15 percent of those surveyed. Other barriers cited by respondents include cultural (11 percent), technological (10 percent), financial (10 percent) and 4 percent said reconciling past regulations with HITRUST.

More than a quarter (27 percent) pointed to all of those factors and 23 percent said “none of the above” were barriers.  

The survey results also indicated that many organizations are challenged with staffing issues. When asked about staffing capabilities to meet this standard, 47 percent responded that they did not have the “right staff with the right level of skills to execute against the HITRUST CSF.” A little more than half of respondents, 53 percent, said they did have the right staff in place.

When asked where they as see the biggest benefit from HITRUST, a quarter of the business associates who were polled said “assurances about overall security” while another quarter of respondents cited standardized reporting as a benefit. Fourteen percent of respondents said progress towards Health Insurance Portability and Accountability Act (HIPAA) compliance and 12 percent HITRUST provides a blueprint for assessing cybersecurity risks. Additionally, 9 percent of respondents said HITRUST helps with meeting contractual requirements, and 15 percent said “none of the above” were benefits.

KPMG is a HITRUST Qualified CSF Assessor.

Topics

News

CMS Looks to Increase Patient Engagement with New Models

The Centers for Medicare & and Medicaid Services (CMS) has announced two new models from the CMS Innovation Center (CMMI) that will aim to increase patient engagement in care decisions by putting more information in the hands of Medicare beneficiaries.

Medtronic, Fitbit Integrating Health and Activity Data for Diabetes Management

Fitness wearables company Fitbit, based in San Francisco, and Dublin, Ireland-based Medtronic, a medical device company, have teamed up to integrate health and activity tracking for patients living with diabetes and their physicians and care teams.

UC San Diego Health Offering EHR, iPad Access to Patients

Patients at the recently-opened Jacobs Medical Center at UC San Diego Health can be in more command with their own experience by assessing their own medical information, controlling room features and more.

Texas Medical Center, Australia Form BioBridge to Develop Health Innovation

Houston-based Texas Medical Center (TMC) and the Melbourne-based Health Informatics Society of Australia (HISA) are collaborating on a health startup exchange program.

Teladoc Hits 101K Patient Visits in November

Telehealth vendor Teladoc announced this week that it totaled 101,600 e-health patient visits in November, setting a company record.

Research of mHealth Apps Reveals Significant Gaps in Quality

An evaluation of 137 patient-facing mobile health apps revealed that few apps address the needs of the patients who could benefit the most, according to research in December’s issue of Health Affairs.