Two-thirds of healthcare business associates are not prepared to meet the Health Information Trust Alliance's (HITRUST) data security standard to protect providers’ patient protected health information (PHI), a new survey finds.
EHR vendors, including cloud service providers, are seen as business associates who are subject to HIPAA and required to stake steps to keep a covered entity’s PHI secure. HITRUST is a privacy and security framework for organizations who create, maintain transmit or receive PHI to assess their level of readiness and soundness of their environment. Since HIPAA does not mandate in particular how to keep PHI private and secure, using the HITRUST standard is one way to do so.
Organizations can indicate their readiness either through a HITRUST CSF examination or a HITRUST CSF certification, both of which “enable vendors to communicate their good faith effort to protect patient information,” Emily Frolick, third-party risk and assurance leader for KPMG’s Healthcare practice, says in an announcement; KPMG conducted the survey.
“An increasing number of healthcare organizations are requiring their vendors to demonstrate controls for securing PHI to manage their cyber and regulatory risks, especially since healthcare information is a rich target for hackers ... the marketplace wants to reduce risks tied to cybersecurity with third-party assurances concerning their data protection efforts," Frolick adds.
However, the survey of 604 professionals finds that 50 percent are “not prepared” and another 17 percent have a plan but have yet to implement it. Only 7 percent said they are “completely ready,” and 8 percent are “well along implementation.”
Another 17 percent are in the planning stages of implementing their plan.