A new CORL Technologies report also highlights that healthcare organizations are failing to hold vendors accountable for meeting minimum acceptable standards or otherwise mitigate vendor-related security weaknesses.
“The average hospital’s data is accessible by hundreds to thousands of vendors with abysmal security practices providing a wide range of services,” said Cliff Baker, CEO, Corl Technologies. “When healthcare and industry organizations don’t hold vendors accountable for minimum levels of security, these vendors establish an unlocked backdoor to sensitive healthcare data.”
These new findings are critical to addressing the growing number of security incidents at companies attributed to partners and vendors – which increased from 20% in 2010 to 28% in 2012 according to PWC in its “Viewpoint on Vendor Risk Management” (November 2013). Building on this problem, the PWC “US State of Cybercrime Survey” (June 2014) highlights that business partners fly under the security radar: only “44% of organizations have a process for evaluating third parties before launch of business operations” and only “31% include security provisions in contracts with external vendors and suppliers.”
The Vendor Intelligence Report, which kicks off a new series of studies to be published by the CORL research team, is based on the analysis of security related practices for a sample of over 150 vendors providing services to leading healthcare organizations from June 2013 to June 2014. CORL researchers analyze the people, process and technical practices of these organizations. Leading providers and health plans use CORL to provide risk scorecards and ongoing monitoring of information protection practices of vendors.
The four key trends and supporting data that emerged from the analysis include:
The majority of healthcare vendors lack minimum security practices to protect data
- Fifty-eight percent of vendors scored in the “D” grade range and 8% scored in the “F” grade range, meaning there is a lack of confidence based on demonstrated weaknesses with their culture of security. In fact only 4% of vendors scored in the “A” high confidence grade range. 16% scored in the “B” moderate confidence grade range and 14% scored in the “C” indeterminate confidence grade range.
- Even more surprising, healthcare organizations are not holding vendors accountable for meeting even the minimum acceptable standards. Only 32% of vendors have security certifications. Typical certifications include FedRAMP, HITRUST, ISO 27001, SSAE-16, SOC 2 and 3.
- An average hospital’s data is accessible by hundreds to thousands of vendors providing a wide range of services: from business services, consulting, claims processing and education to Electronic Health Record (EHR), healthcare and medical supplies technologies and products to network and security software.
- Over fifty percent of vendors providing services to an average healthcare organization are small to medium sized businesses with less than 1000 employees.
- According to Symantec’s 2014 Internet Security Threat Report, targeted attacks aimed at Small Businesses accounted for “30 percent of targeted spear-phishing attacks”.
- Vendor due diligence by healthcare organizations is not aligned with risks. Most healthcare organizations focus due diligence on their largest vendors - yet over half of breaches are attributed to small businesses.
- In fact most organizations do not have a risk program in place at all and executives are not appropriately made aware of the exposure or efforts to mitigate risk.
“Third-party breaches and regulations are increasing drastically in the healthcare industry, but effective third-party security risk management is expensive, time consuming, and resource intensive. CORL is in a unique position to have access to security data across the healthcare vendor ecosystem. We hope to use this information to illuminate gaps and provide recommendations to healthcare organizations and vendors alike that will help improve their risk management processes – and, ultimately, improve their overall security and risk posture,” added Baker.