Survey: Most Vendors Not Prepared to Comply with Data Protection Standards | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Survey: Most Vendors Not Prepared to Comply with Data Protection Standards

October 10, 2016
by Heather Landi
| Reprints

Two thirds of healthcare industry vendors report they are not prepared to comply with the Health Information Trust Alliance’s (HITRUST) healthcare data protection standards, despite ongoing concerns about cyber security as it relates to healthcare information, according to a recent survey by New York City-based audit, tax and advisory firm KPMG.

There is no legal requirement mandating that organizations comply with the HITRUST standard or SOC 2—a separate data protection standard set by the American Institute of Certified Public Accountants (AICPA). The HITRUST Common Security Framework (CSF) is a privacy and security framework for organizations who create, maintain, transmit or receive PHI to assess the level of readiness and soundness of their control environment.

“An increasing number of healthcare organizations are requiring their vendors to demonstrate controls for securing PHI (protected health information) to manage their cyber and regulatory risks, especially since healthcare information is a rich target for hackers,” Emily Frolick, third-party risk and assurance leader for KPMG’s Healthcare practice, said in a statement. “These vendors are able to accomplish this through a SOC 2 + HITRUST CSF examination or a HITRUST CSF Certification, both of which enable vendors to communicate their good faith effort to protect patient information.”

“Neither is mandatory under current law, but the marketplace wants to reduce risks tied to cybersecurity with third-party assurances concerning their data protection efforts,” Frolick said.

KPMG polled 600 healthcare industry vendors, or business associates, during a KPMG webcast and found that half of those surveyed reported that were “not ready” for a HITRUST CSF assessment. Additionally, 17.4 percent of respondents said they were in the planning stages for a HITRUST CSF assessment.

Regarding the progress that organizations have made to address HITRUST CSF requirements, only 7 percent reported that they were completely ready, and 8 percent described their organization as “well along with implementation.” The reminder, 17 percent, said they were in the early stages of implementing the plan for a HITRUST CSF assessment.

The survey results come at a time when the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has demonstrated heightened scrutiny of healthcare organizations and their business associates to assess compliance with HIPAA privacy, security and breach notification rules. In the past year, OCR has penalized healthcare organizations and their vendor partners with large fines for potential HIPAA privacy violations. Oregon Health and Science University agreed to a $2.7 million settlement and OCR alleges it found that OHSU stored over 3,000 individuals’ electronic PHI in a cloud computing system without any business associate agreement with the cloud computing vendor.

And, as reported by Healthcare Informatics, a recent study by Protenus and DataBreaches.net found that 30 percent of breaches and 30 percent of breached records reported to the HHS public breach portal are a direct result of third parties. In fact, the study authors contend that based on data form HHS, the 193 breach incidents that occurred through August 2016 impacted 12,801,481 patients. Based on an analysis by Protenus and DataBreaches.net, there were at least 4.5 million patients affected by a breach involving a third party vendor or business associate, for a mean of 79,008 patients or records per incident.

In the KPMG survey, respondents reported that staffing was the biggest barrier to HITRUST CSF readiness, cited by 15 percent of those surveyed. Other barriers cited by respondents include cultural (11 percent), technological (10 percent), financial (10 percent) and 4 percent said reconciling past regulations with HITRUST.

More than a quarter (27 percent) pointed to all of those factors and 23 percent said “none of the above” were barriers.  

The survey results also indicated that many organizations are challenged with staffing issues. When asked about staffing capabilities to meet this standard, 47 percent responded that they did not have the “right staff with the right level of skills to execute against the HITRUST CSF.” A little more than half of respondents, 53 percent, said they did have the right staff in place.

When asked where they as see the biggest benefit from HITRUST, a quarter of the business associates who were polled said “assurances about overall security” while another quarter of respondents cited standardized reporting as a benefit. Fourteen percent of respondents said progress towards Health Insurance Portability and Accountability Act (HIPAA) compliance and 12 percent HITRUST provides a blueprint for assessing cybersecurity risks. Additionally, 9 percent of respondents said HITRUST helps with meeting contractual requirements, and 15 percent said “none of the above” were benefits.

KPMG is a HITRUST Qualified CSF Assessor.

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

CMS Exploring Potential Behavioral Health Payment and Care Delivery Model

The Center for Medicare & Medicaid Services (CMS) plans to hold a one-day summit in September to solicit feedback and ideas for a potential behavioral health model to improve access, quality and cost of care for beneficiaries with behavioral health conditions.

MEDITECH to Soon Offer CommonWell Health Alliance Services to Customers

MEDITECH, a Westwood, Mass.-based electronic health record (EHR) vendor, has announced that it is set to offer CommonWell interoperability services early next year.

HITRUST CSF Certification Now Includes NIST Cybersecurity Certification

HITRUST has announced that HITRUST cybersecurity framework (CSF) version 9 enhancements now extend an “assess once, report many” approach as a standard security framework for multiple critical infrastructure industries and includes National Institute of Standards and Technology (NIST) Cybersecurity certification.

Premier: Analytics Helping Hospitals Optimize Blood Use

An analysis of 645 hospitals revealed that comparative data analytics to drive performance improvement has the potential to optimize blood use across numerous diagnoses.

Almost 80 Percent of Clinicians Still Use Hospital-Issued Pagers

A study examining the communication technologies used by hospital-based clinicians found that close to 80 percent (79.8 percent) of clinicians continue to use hospital-provided pagers and 49 percent of those clinicians report they receive patient care-related messages most commonly by pager.

Survey: IT Expenses per Physician Continue to Rise to Nearly $19,000

Information technology (IT) expenses for physician practices are on a slow and steady rise for most practices, and last year, physician-owned practices spent between nearly $2,000 to $4,000 more per FTE physician on IT operating expenses than they did the prior year, according to a recent Medical Group Management Association (MGMA) survey.