Skip to content Skip to navigation

Survey: Most Vendors Not Prepared to Comply with Data Protection Standards

October 10, 2016
by Heather Landi
| Reprints

Two thirds of healthcare industry vendors report they are not prepared to comply with the Health Information Trust Alliance’s (HITRUST) healthcare data protection standards, despite ongoing concerns about cyber security as it relates to healthcare information, according to a recent survey by New York City-based audit, tax and advisory firm KPMG.

There is no legal requirement mandating that organizations comply with the HITRUST standard or SOC 2—a separate data protection standard set by the American Institute of Certified Public Accountants (AICPA). The HITRUST Common Security Framework (CSF) is a privacy and security framework for organizations who create, maintain, transmit or receive PHI to assess the level of readiness and soundness of their control environment.

“An increasing number of healthcare organizations are requiring their vendors to demonstrate controls for securing PHI (protected health information) to manage their cyber and regulatory risks, especially since healthcare information is a rich target for hackers,” Emily Frolick, third-party risk and assurance leader for KPMG’s Healthcare practice, said in a statement. “These vendors are able to accomplish this through a SOC 2 + HITRUST CSF examination or a HITRUST CSF Certification, both of which enable vendors to communicate their good faith effort to protect patient information.”

“Neither is mandatory under current law, but the marketplace wants to reduce risks tied to cybersecurity with third-party assurances concerning their data protection efforts,” Frolick said.

KPMG polled 600 healthcare industry vendors, or business associates, during a KPMG webcast and found that half of those surveyed reported that were “not ready” for a HITRUST CSF assessment. Additionally, 17.4 percent of respondents said they were in the planning stages for a HITRUST CSF assessment.

Regarding the progress that organizations have made to address HITRUST CSF requirements, only 7 percent reported that they were completely ready, and 8 percent described their organization as “well along with implementation.” The reminder, 17 percent, said they were in the early stages of implementing the plan for a HITRUST CSF assessment.

The survey results come at a time when the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has demonstrated heightened scrutiny of healthcare organizations and their business associates to assess compliance with HIPAA privacy, security and breach notification rules. In the past year, OCR has penalized healthcare organizations and their vendor partners with large fines for potential HIPAA privacy violations. Oregon Health and Science University agreed to a $2.7 million settlement and OCR alleges it found that OHSU stored over 3,000 individuals’ electronic PHI in a cloud computing system without any business associate agreement with the cloud computing vendor.

And, as reported by Healthcare Informatics, a recent study by Protenus and found that 30 percent of breaches and 30 percent of breached records reported to the HHS public breach portal are a direct result of third parties. In fact, the study authors contend that based on data form HHS, the 193 breach incidents that occurred through August 2016 impacted 12,801,481 patients. Based on an analysis by Protenus and, there were at least 4.5 million patients affected by a breach involving a third party vendor or business associate, for a mean of 79,008 patients or records per incident.

In the KPMG survey, respondents reported that staffing was the biggest barrier to HITRUST CSF readiness, cited by 15 percent of those surveyed. Other barriers cited by respondents include cultural (11 percent), technological (10 percent), financial (10 percent) and 4 percent said reconciling past regulations with HITRUST.

More than a quarter (27 percent) pointed to all of those factors and 23 percent said “none of the above” were barriers.  

The survey results also indicated that many organizations are challenged with staffing issues. When asked about staffing capabilities to meet this standard, 47 percent responded that they did not have the “right staff with the right level of skills to execute against the HITRUST CSF.” A little more than half of respondents, 53 percent, said they did have the right staff in place.

When asked where they as see the biggest benefit from HITRUST, a quarter of the business associates who were polled said “assurances about overall security” while another quarter of respondents cited standardized reporting as a benefit. Fourteen percent of respondents said progress towards Health Insurance Portability and Accountability Act (HIPAA) compliance and 12 percent HITRUST provides a blueprint for assessing cybersecurity risks. Additionally, 9 percent of respondents said HITRUST helps with meeting contractual requirements, and 15 percent said “none of the above” were benefits.

KPMG is a HITRUST Qualified CSF Assessor.



McKesson Unveils New Paragon Electronic Health Record Platform

McKesson Enterprise Information Solutions (EIS) announced the latest release of Paragon, its electronic health record (EHR) solution.

Catholic Health Initiatives and Dignity Health are in Merger Talks

Englewood, Colorado-based health system Catholic Health Initiatives is in merger talks with San Francisco-based Dignity Health to potentially create one of the largest nonprofit health systems by revenue in the country.

OSU Wexner Medical Center Receives AHIMA Grace Award

The Ohio State University Wexner Medical Center (OSUWMC) received the American Health Information Management Association (AHIMA) annual Grace Award in recognition of its leadership in health information management.

Kansas Health Information Network Expands its Network across State Lines

The Kansas Health Information Network (KHIN) has announced that it is expanding its horizons, and is now connected to Health Information Exchange Texas (HIETexas).

CMS Selects Vendor to Modernize Critical Identity Infrastructure

The Centers for Medicare & Medicaid Services (CMS) last week announced it had selected San Francisco-based vendor Okta to enhance the security of its information systems.

Mayo Clinic, ASU Partner for Medical Education, Healthcare Innovation

The Mayo Clinic and Arizona State University have announced a partnership centered on transforming medical education and healthcare in the U.S. through a variety of innovation efforts.