Many business associates unprepared for security certification

A survey of 604 healthcare professionals—primarily providers, payers and vendors—finds that two-thirds of respondents believe that their business associates are not ready for security certification programs conducted by HITRUST.

“An increasing number of healthcare organizations are requiring their vendors to demonstrate controls for securing protected health information to manage their cyber and regulatory risks, especially since healthcare information is a risk target for hackers,” said Emily Frolick, third-party risk and assurance leader at the healthcare unit of KPMG, which conducted the survey.


Because many business associates are not ready, only 7 percent of responding healthcare organizations indicated their organization was fully ready for HITRUST certification, 8 percent were “well along implementation,” according to KPMG. Another 17 percent were in early implementation stages.

Also See: HITRUST begins sharing cyber threat data with Homeland Security

Staffing challenges are hindering HITRUST certification, according to survey respondents, as 47 percent indicated they did not have the right staff and skills to meet certification standards. The staffing barrier even eclipsed common cultural, technological and financial concerns.

Respondents did see value in certification, with the largest benefits being assurances about overall security, standardized reporting, progress toward HIPAA compliance and better assessment of cyber security risks.

KPMG conducted the survey during a webcast in late August that included information on the HITRUST certification program.

For reprint and licensing requests for this article, click here.