5 Pain Points: Health-Care Providers Should Do A Partner Security Checkup

Health-Care Compliance Requires Partner Security Assessment

Many business partners serving the health-care industry lack the most basic of security practices, fail to protect personally identifiable information, and fall well short of the protections called for in HIPAA, according to a new report. Atlanta-based Corl Technologies, a maker of security risk management software, conducted an analysis of 150 health-care business partners that store, process or access protected health-care information provided by hospitals and health plans. Health-care organizations often regularly assess their largest partners, but the Corl Technologies Vendor Intelligence Report found a lack of confidence in smaller and midsize partners, which sometimes lack certifications and have marginal knowledge of regulatory requirements.

Smallest Partners, Biggest Risk

The security practices of small and midsize health-care business partners are poorly documented and any established policies are often loosely enforced, according to the report. Corl Technologies said 58 percent of small provider partners earned a "D' grade, demonstrating a weak security culture and minimum safeguards over data. Only 4 percent of business partners earned a high confidence grade in protecting personally identifiable information, according to the report. Larger business partners earned higher grades, the study found.

Partners Lack Security Certifications

Health-care organizations are failing to hold partners accountable by requiring security certifications, according to the analysis. Only 32 percent of the solution providers have security certifications, the study found. Health-care business partners that gain certification from the Health Information Trust Alliance can demonstrate they have met the security controls under the HITRUST security framework, according to Corl Technologies. Service Organization Control (SOC 2 and 3 reports), ISO 27001 and FedRAMP also help document a minimum level of security. But security experts warn organizations shouldn't rely on certification alone to measure their partners' security capabilities.

Unchecked Access To Electronic Health Records

The analysis found that health-care organizations are often unaware of all the partners that gain access to Electronic Health Record information, according to the report. Contractors and other business service providers view the health record to provide a wide range of services, from claims processing to health-care and medical supply technologies, according to the report. Risks increase substantially when access and privileges are controlled and monitored for suspicious activity, Corl Technologies said. The widespread access could give criminals a larger attack surface to probe and a better chance of gaining unauthorized access to systems containing sensitive data. But more importantly, according to the report and a variety of industry reports, is the increased risk of a lapse in judgment or other mistake that exposes sensitive information.

Poor Visibility Leads To Breaches

More than half of the business partners providing services to health-care organizations are small and midsize companies, according to the report. Those blind spots over SMB partners can lead to costly mistakes or high-profile data breaches, the report found. The 2014 Verizon Data Breach Report found that 46 percent of all security incidents that targeted health-care organizations were associated with lost USB drives, paper files or backup disks. The report, which examined more than 63,000 security incidents, found that health-care organizations had more breaches than any other industry. In addition to lost records, insider misuse and miscellaneous errors accounted for nearly three-quarters of all security incidents at healthcare organizations.

Risk Management Program Lacks Controls, Enforcement

The Corl Technologies report said health-care providers often aim their risk management strategies at their largest partners and fail to put in controls that would protect against lapses from smaller ones. "Most organizations do not have a risk program in place at all and executives are not appropriately made aware of the exposure or efforts to mitigate risk," the study found. Policies that are in place also lack enforcement measures, the report found. The Verizon data breach report said the impact from the thousands of security incidents at health-care organizations it reviewed could have been limited by a continuous monitoring program. Organizations should review user accounts, monitor system behavior, and consider taking steps to restrict sensitive data sent by email, such as data loss prevention.