CORL Technologies analyzed the certification status of 1,000 vendors from the company’s database of nearly 30,000 health industry business associates and found that just 26 percent of BAs hold a security certification.
CORL said Tuesday its analysis also showed that 74 percent of health industry businesses lack security certifications related to health IT.
“Without the proper security certifications in place, a security breach experienced by only one business associate or its subcontractors could result in a damaged reputation, substantial regulatory penalties and breach remediation costs in the millions of dollars,” said CORL CEO Cliff Baker.
“Hospitals, health systems, payers and other providers must implement risk assessment and management strategies for their BAs to mitigate and defend against future breach attacks,” Baker added.
Sixty percent of surveyed vendors do not have a dedicated security leader; more than 50 percent of a health system’s vendors are small businesses; and five percent of small businesses possess security certification.
Companies that serve other industries such as Microsoft, Oracle, IBM and Google have multiple certifications including ISO, SOC 2 and the General Services Administration‘s Federal Risk and Authorization Management Program, CORL found.
Baker called on healthcare companies to take on a regulatory responsibility to address risks facing personal health information that vendors and subcontractors create, receive, maintain or transmit.