More than half of electronic health record (EHR) vendors—58 percent— scored in the "D" grade range for their culture of security, according to a report from Corl Technologies, an Atlanta-based security risk management solution provider.
The report reveals that the majority of healthcare vendors lack minimum security, and also highlights that healthcare organizations are failing to hold vendors accountable for meeting minimum acceptable standards or otherwise mitigate vendor-related security weaknesses.
The Vendor Intelligence Report is based on the analysis of security related practices for a sample of more than 150 vendors providing services to leading healthcare organizations from June 2013 to June 2014. According to the report, 8 percent of vendors scored in the “F” grade range, meaning there is a lack of confidence based on demonstrated weaknesses with their culture of security. In fact, only 4 percent of vendors scored in the “A” high confidence grade range; 16 percent scored in the “B” moderate confidence grade range; and 14 percent scored in the “C” indeterminate confidence grade range. Additionally, just 32 percent of vendors have security certifications such as FedRAMP, HITRUST, ISO 27001 and SSAE-16, the report found.
These new findings are critical to addressing the growing number of security incidents at companies attributed to partners and vendors—which increased from 20 percent in 2010 to 28 percent in 2012, according to a PricewaterhouseCoopers (PWC) report in November 2013. And a 2014 PWC report found that business partners fly under the security radar: only “44 percent of organizations have a process for evaluating third parties before launch of business operations” and only “31 percent include security provisions in contracts with external vendors and suppliers.”
“The average hospital’s data is accessible by hundreds to thousands of vendors with abysmal security practices providing a wide range of services,” Cliff Baker, CEO, Corl Technologies, said in a statement. “When healthcare and industry organizations don’t hold vendors accountable for minimum levels of security, these vendors establish an unlocked backdoor to sensitive healthcare data.”
