Survey: 26% of health IT, medical device business associates have security certification

Health industry vendors invest and maintain security certifications at lower rates that other industry vendors, according to a CORL Technologies report.

Health systems and health plans often contract with hundreds of business associates, according CORL Technologies, many of whom have access to protected health information — meaning that a security breach to a vendor could significantly impact the healthcare organization itself.

For this report, the Atlanta-based vendor security risk management solution provider analyzed 1,000 vendors from its database of more than 30,000 health industry business associates.

Here are three things to know.

1. Vendors in non-healthcare industries — such as Microsoft, Oracle, IBM and Google — have multiple certifications, including a combination of those offered by International Organization for Standardization, Federal Risk and Authorization Management Program and Service Organization Controls.

2. However, there is limited consistency in certifications for health IT and outsourced services. Only 26 percent of health IT, medical device and outsourced service business associates have a security certification, suggesting that 74 percent of these organizations are at risk for a breach.

3. The relevant certifications that are often adopted by health industry vendors include: Statement on Standards for Attestation Engagements No. 16 (24 percent), PCI (23 percent), International Organization for Standardization 27001: 2013 (19 percent) and Service Organization Controls 2 (18 percent).

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars