Skip to content Skip to navigation

Survey: Most Vendors Not Prepared to Comply with Data Protection Standards

October 10, 2016
by Heather Landi
| Reprints

Two thirds of healthcare industry vendors report they are not prepared to comply with the Health Information Trust Alliance’s (HITRUST) healthcare data protection standards, despite ongoing concerns about cyber security as it relates to healthcare information, according to a recent survey by New York City-based audit, tax and advisory firm KPMG.

There is no legal requirement mandating that organizations comply with the HITRUST standard or SOC 2—a separate data protection standard set by the American Institute of Certified Public Accountants (AICPA). The HITRUST Common Security Framework (CSF) is a privacy and security framework for organizations who create, maintain, transmit or receive PHI to assess the level of readiness and soundness of their control environment.

“An increasing number of healthcare organizations are requiring their vendors to demonstrate controls for securing PHI (protected health information) to manage their cyber and regulatory risks, especially since healthcare information is a rich target for hackers,” Emily Frolick, third-party risk and assurance leader for KPMG’s Healthcare practice, said in a statement. “These vendors are able to accomplish this through a SOC 2 + HITRUST CSF examination or a HITRUST CSF Certification, both of which enable vendors to communicate their good faith effort to protect patient information.”

“Neither is mandatory under current law, but the marketplace wants to reduce risks tied to cybersecurity with third-party assurances concerning their data protection efforts,” Frolick said.

KPMG polled 600 healthcare industry vendors, or business associates, during a KPMG webcast and found that half of those surveyed reported that were “not ready” for a HITRUST CSF assessment. Additionally, 17.4 percent of respondents said they were in the planning stages for a HITRUST CSF assessment.

Regarding the progress that organizations have made to address HITRUST CSF requirements, only 7 percent reported that they were completely ready, and 8 percent described their organization as “well along with implementation.” The reminder, 17 percent, said they were in the early stages of implementing the plan for a HITRUST CSF assessment.

The survey results come at a time when the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has demonstrated heightened scrutiny of healthcare organizations and their business associates to assess compliance with HIPAA privacy, security and breach notification rules. In the past year, OCR has penalized healthcare organizations and their vendor partners with large fines for potential HIPAA privacy violations. Oregon Health and Science University agreed to a $2.7 million settlement and OCR alleges it found that OHSU stored over 3,000 individuals’ electronic PHI in a cloud computing system without any business associate agreement with the cloud computing vendor.

And, as reported by Healthcare Informatics, a recent study by Protenus and DataBreaches.net found that 30 percent of breaches and 30 percent of breached records reported to the HHS public breach portal are a direct result of third parties. In fact, the study authors contend that based on data form HHS, the 193 breach incidents that occurred through August 2016 impacted 12,801,481 patients. Based on an analysis by Protenus and DataBreaches.net, there were at least 4.5 million patients affected by a breach involving a third party vendor or business associate, for a mean of 79,008 patients or records per incident.

In the KPMG survey, respondents reported that staffing was the biggest barrier to HITRUST CSF readiness, cited by 15 percent of those surveyed. Other barriers cited by respondents include cultural (11 percent), technological (10 percent), financial (10 percent) and 4 percent said reconciling past regulations with HITRUST.

More than a quarter (27 percent) pointed to all of those factors and 23 percent said “none of the above” were barriers.  

The survey results also indicated that many organizations are challenged with staffing issues. When asked about staffing capabilities to meet this standard, 47 percent responded that they did not have the “right staff with the right level of skills to execute against the HITRUST CSF.” A little more than half of respondents, 53 percent, said they did have the right staff in place.

When asked where they as see the biggest benefit from HITRUST, a quarter of the business associates who were polled said “assurances about overall security” while another quarter of respondents cited standardized reporting as a benefit. Fourteen percent of respondents said progress towards Health Insurance Portability and Accountability Act (HIPAA) compliance and 12 percent HITRUST provides a blueprint for assessing cybersecurity risks. Additionally, 9 percent of respondents said HITRUST helps with meeting contractual requirements, and 15 percent said “none of the above” were benefits.

KPMG is a HITRUST Qualified CSF Assessor.

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

VETS Act Introduced to Expand Veterans’ Access to Telehealth Services

U.S. Senators Joni Ernst (R-IA) and Mazie Hirono (D-HI), both members of the Senate Armed Services Committee, reintroduced this week the Veterans E-Health and Telemedicine Support Act of 2017 (VETS Act), bipartisan legislation that aims to expand telehealth services provided by the Department of Veterans Affairs (VA).

Mayo Clinic Makes Health Content Available via Epic’s Patient Apps

Rochester, Minn.-based Mayo Clinic is now offering its health information on demand via Epic patient-facing apps such as MyChart and MyChart Bedside.

Report: Cyber Attackers Using Simple Tactics, Tools to Target Healthcare, Other Industries

The number of reported breach incidents in healthcare grew by 22 percent in 2016 from 269 breach incidents in 2015 to 328 last year, according to Symantec’s 2017 Internet Security Threat Report (ISTR).

The Sequoia Project Touts Interoperability Growth in Fifth Year

The Sequoia Project is celebrating its fifth anniversary this month by announcing that its various interoperability initiatives have grown by health organization participants, by geographic reach, and by the sheer number of health records exchanged electronically.

Report: HHS to Open Healthcare Cybersecurity Center

HHS will be opening a Cybersecurity and Communications Integration Center in which healthcare organizations and consumers can get educated about the risks of using mobile apps and data.

Survey: Two-Thirds of Healthcare Employees Share Confidential Data On Occasion

Seventy-two percent of employee say they would share sensitive, confidential or regulated company information under certain circumstances and 68 percent of healthcare employees report that they share confidential or regulated data on occasion, according to the Dell End-User Security Survey.