The majority of healthcare vendors lack minimum security, with more than 58 percent scoring in the “D” grade range for their culture of security, according to a new Vendor Intelligence Report from CORL Technologies, a provider of Vendor Security Risk Management (VSRM) solutions.
The report also highlights that healthcare organizations are failing to hold vendors accountable for meeting minimum acceptable standards or otherwise mitigate vendor-related security weaknesses.
“The average hospital’s data is accessible by hundreds to thousands of vendors with abysmal security practices providing a wide range of services,” said Cliff Baker, chief executive officer, Corl Technologies. “When healthcare and industry organizations don’t hold vendors accountable for minimum levels of security, these vendors establish an unlocked backdoor to sensitive healthcare data.”
These new findings come as a growing number of security incidents at companies are attributed to partners and vendors, increasing from 20 percent in 2010 to 28 percent in 2012 according to PwC in its “Viewpoint on Vendor Risk Management” (November 2013).
Building on this problem, the PwC “US State of Cybercrime Survey” (June 2014) highlighted that business partners fly under the security radar: only “44 percent of organizations have a process for evaluating third parties before launch of business operations” and only “31 percent include security provisions in contracts with external vendors and suppliers.”
The Vendor Intelligence Report, which kicks off a new series of studies to be published by the CORL research team, is based on the analysis of security related practices for a sample of over 150 vendors providing services to leading healthcare organizations from June 2013 to June 2014.
The report found that the majority of healthcare vendors lack minimum security practices to protect data, and that healthcare organizations are unaware of all the vendors that have access to their data.
It also found that healthcare organizations have an overwhelming number of small vendors to manage; and existing practices at healthcare organizations do little to mitigate vendor related security weaknesses.
CORL Technologies, US, PwC