Vendors always have been one of the most worrisome parts of HIPAA security because hospitals and health systems must rely on them for the appropriate technological and physical security for protected data — without the ability to dictate exactly how.
Research shows that those fears are well founded, with many health organizations experiencing an increase in investigations and fines from HHS that are related to poor vendor HIPAA security. A study from the Ponemon Institute, a research organization in Traverse City, MI, that addresses data protection and information security practices, found that health systems are increasingly worried about their reliance on third-party medical devices and how they could compromise protected health information (PHI).
Seventy-two percent of respondents said they believe the increasing reliance on third-party medical devices connected to the internet is risky; 68% expressed similar concerns about connecting medical devices to the cloud.
Risk management processes are not keeping pace with cyber threats and vulnerabilities, according to two-thirds of those surveyed. Sixty-three percent also said their security efforts cannot keep pace with the growing use of digital applications and devices. (The report is available online at: https://bit.ly/2SCDSg4.)
One of the more interesting findings was that 56% of respondents had experienced a third-party data breach in the past two years, says Ed Gaudet, CEO of Censinet, a company based in Boston that provides risk management software for healthcare organizations. Earlier research had suggested lower rates of third-party vendor breaches. “It’s kind of amazing that there is all of this money going into healthcare data security; yet, the data breaches are still trending upward. If you just look at this year alone, in the first half of the year we’ve already had breaches affecting more records than in all of last year,” Gaudet says. “We think the attack surface, the cumulative measure of the points where someone can try to gain access, is actually getting bigger, not smaller.”
In years past, the attack surface was on software and hardware that you controlled in your data center, Gaudet explains. That has changed dramatically in recent years, he says.
“Now, it’s the Wild West. So much of your business processes are being outsourced and your data is hosted in the cloud. It is a completely different attack surface from just five years ago,” Gaudet says. “We think the problem is going to get bigger. The risk analysts are woefully unprepared for this because a lot of their risk processes are manual or ad hoc, taking a lot of time.”
Assessments Seen as Costly
At the same time, healthcare organizations are feeling the need to draw skilled digital security professionals to other pressing needs rather than have them spend so much time on verifying vendor security, Gaudet says.
A troubling finding in the Ponemon report was that 76% of healthcare organizations see their vendor risk assessments as costly, inefficient, and having no effect on reducing exposure to a breach, says Larry Ponemon, PhD, chairman and founder of the Ponemon Institute. He also was concerned to see that a majority of respondents thought senior executives in their organizations were allowed to skip the vendor risk assessment when they wanted to secure a lucrative business deal.
Ponemon also notes that 54% of respondents said they were at risk of a data breach because they could not complete a risk assessment of all vendors.
That shortcoming may be even worse than it appears because those in charge of HIPAA security may not even know all the vendors who potentially can access PHI.
“Healthcare is so complex that there can be an enormous number of vendors and third parties involved. In some cases, their access to secure data is not so obvious. If you don’t know they even have that access, you don’t put them in the process for risk assessment,” Ponemon says. “Organizations are not doing all they can do create a safe and secure environment for protected data. A portion of that is due to the organizational culture that does not make this a priority.”
There also is a significant budget gap to address, Gaudet says. The survey respondents said they need 2.5 times their current budget to adequately address the data security threats from third-party vendors.
Little Confidence in Effectiveness
Gaudet also calls attention to how many study participants assessed the effectiveness of their vendor security procedures. There was a big disconnect between how important they consider those procedures and how effective they think they actually are.
“We asked about the importance of data breach response procedures, and everyone said they were very important, but they didn’t consider their own response procedures very effective,” Gaudet explains. “The same result came from things like prior authorization of vendor risk, with a great majority saying it was very important, but only 36% of them saying they are doing it effectively.”
Ponemon suggests that risk managers and other healthcare leaders use the data to push for more resources and a better buy-in from upper management when discussing the need for data security.
Gaudet agrees, saying the data give risk analysts and IT professionals the information they need to make the business case for a more robust vendor risk assessment program, which may include upgrades in staffing and technology.
Cloud apps and connected devices have increased the risk of data breaches sharply, leaving some IT professionals and HIPAA compliance leaders feeling unable to keep up, Gaudet says.
“Cloud apps have been expected, but the connected devices have surged quickly with more and more consumer-connected devices and the internet of things. When you combine that with the increased attacks and vulnerability, you have a perfect storm of factors coming together for professionals responsible for protecting organizations from a data breach,” Gaudet says. “That is what is what is driving a lot of the pressure and anxiety in healthcare organizations.”