Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/17/2009
02:43 PM
50%
50%

Healthcare Affiliates Unprepared For Data Breaches

Patient privacy is at risk from the companies that healthcare providers do business with, study says.

Companies that do business with healthcare providers, including accounting firms and offshore transcription vendors, are unprepared to meet data breach obligations included in new federal regulation, according to a survey released Tuesday.

The survey by Healthcare Information and Management Systems Society (HIMSS) Analytics, commissioned by security vendor ID Experts, looked at preparedness for healthcare providers business partners, such as billing, credit bureaus, benefits management, legal services, claims processing, insurance brokers, data processing firms, pharmacy chains, and temporary office personnel providers.

The survey gauged the readiness of companies to comply with the security provisions of the Health Information Technology for Economic and Clinical Health Act, a component of the U.S. American Recovery and Reinvestment Act of 2009.

About a third of business associates were not aware they needed to comply with security and privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA). By comparison, 87% of health providers are aware.

"Despite an increase in risk assessments conducted, data breach is on the rise and patients are at a high risk level for medical identity theft and fraud where an unknown person will use an identity to illegally receive benefits or services," said Bob Gregg, CEO of ID Experts, in a statement.

"Business associates could represent a risk to healthcare organizations, especially hospitals," said Lisa Gallagher, senior director for privacy and security for HIMSS, in a statement. "The lack of awareness of new federal regulations by business associates coupled with the large number of third parties hired by hospitals to control costs through outsourcing, points to a potential area of concern. Hospitals, in partnership with their business associates, need to actively prepare to comply with the new rules when these breaches happen."

Other findings of the survey:

  • 85% of health providers say they'll take steps to protect data held by business associates.
  • Some 47% of hospitals say they'll terminate contracts with business associates for violations.
  • Some 50% of big hospitals had at least one data breach this year.
  • Some 68% of all hospitals said HITECH's expanded breach notification requirements will lead to discovery and reporting of more incidents. Some 57% said they now have a greater level of awareness of dataw breaches and breach risk.
  • Some 90% said they've already changed, or plan to change policies and procedures to prevent and detect data breaches.

The full survey is available on the ID Experts Web site.



Blue Cross of Northeast Pennsylvania, the University of Louisville School of Medicine, and a range of large and small healthcare providers are using mobile apps to improve care and help patients manage their health. Find out how. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3350
PUBLISHED: 2019-11-19
masqmail 0.2.21 through 0.2.30 improperly calls seteuid() in src/log.c and src/masqmail.c that results in improper privilege dropping.
CVE-2011-3352
PUBLISHED: 2019-11-19
Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the 'themename' parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context ...
CVE-2011-3349
PUBLISHED: 2019-11-19
lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink, which can allow possible privilege escalation.
CVE-2019-10080
PUBLISHED: 2019-11-19
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI ...
CVE-2019-10083
PUBLISHED: 2019-11-19
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.