Health IT

Health IT, device vendors called lax on security certification

Just 26 percent of business associates — as defined by HIPAA — in health IT, medical devices and outsourced services for healthcare providers and payers held a valid security certification, according to an analysis by CORL Technologies.

unlock data breach

Not only is healthcare a ripe target for hackers because health data is so valuable, technology vendors seem lax in their security practices, according to a new analysis of security certifications.

Just 26 percent of business associates — as defined by HIPAA — in health IT, medical devices and outsourced services for healthcare providers and payers held a valid security certification. That eye-opening statistic comes from CORL Technologies, an Atlanta-based security risk management company.

CORL analyzed the certification status of 1,000 healthcare vendors large and small from its own database of more than 30,000 firms. Just 5 percent of small business associates had security certifications, the company found — and small vendors accounted for more than half of a typical health system’s BAs.

Interestingly, the most common certifications that healthcare business associates had were not relevant to protected health information — another term straight from HIPAA.

Of those vendors studied, 24 percent had Statement on Standards for Attestation Engagements (SSAE) 16 certification and 23 percent held a Payment Card Industry (PCI) Data Security Standard certificate. Both are for financial transactions, not handling of personally identifiable health data.

No other certification had more than 19 percent of the survey pool, CORL noted.

Those with significant business outside of healthcare were most likely to be in compliance.

“The Microsofts of the world and the IBMs of the world have kept their certifications up,” CORL CEO Cliff Baker said. “Many of these companies work in other industries that have held them to high standards.”

That implies that healthcare companies have not held their technology vendors to high standards, which is exactly what CORL found in its analysis.

“The customer base [in healthcare] hasn’t demanded it,” Baker said. “It points to a lack of oversight by customers.”

CORL reported that 60 percent of vendors within the healthcare industry did not have a dedicated security leader, and that’s a concern, given that outsourcing by payers and providers is on the rise. “They’re starting to rely on the vendors more and more for a greater range of technology services,” Baker said.

Photo: Flickr user Nick Carter

 

Shares0
Shares0