CORL’s Analysis Reveals Critical Gaps in IT Security Certification Upkeep Among Vendors Servicing Health Systems and Health Plans

ATLANTA – Jan. 17, 2017 CORL Technologies (CORL) today announced the identification of a significant lack of security practices leading to potential risk across thousands of health industry business associates (BAs) compared with companies servicing other industries. Using the health industry’s largest database of 30,000 vendors, CORL’s analysis found only 26 percent of health information technology (HIT), medical device and outsourced service BAs possess a security certification, including HITRUST, SOC 2 Type 2, ISO 27001 and FedRAMP.

CORL is a SOC 2 Type 2 certified IT security vendor risk management firm with headquarters in Atlanta. The company’s expert research analysts assess vendor security practices and recommend security strategies and solutions.

“Large health systems and health plans rely heavily on BAs. Many maintain a roster of hundreds to thousands of vendors with access to protected health information. This means more third-party vendors than ever have access to a covered entity’s data,” said Cliff Baker, CORL’s CEO. “Without the proper security certifications in place, a security breach experienced by only one business associate or its subcontractors could result in a damaged reputation, substantial regulatory penalties and breach remediation costs in the millions of dollars.”

CORL’s research reflects the most extensive and unique data analysis of its type. The company sampled the certification status of 1,000 vendors from CORL’s database of more than 30,000 health industry BAs.

“Our research clearly indicates a wake-up call that valuable patient data is not secured properly and vigilantly, and remains at high risk,” Baker said. “Hospitals, health systems, payers and other providers must implement risk assessment and management strategies for their BAs to mitigate and defend against future breach attacks.”

Two CORL clients employed at the same mid-size health system located in the Midwestern U.S. offered these comments:

“We impose contract obligations with our BAs to keep our data secure, and consider certifications a strong indicator of commitment to data protection. In fact, vendor certification is a major buying decision for us,” said the manager of information systems services.

According to the director of internal audit and corporate compliance, “Few vendors have certifications yet, so we are unable currently to make it a contractual requirement. However, we rely on CORL to engage the vendors and push certifications and risk remediation activities. It’s a slow move, but a shift is definitely occurring across the health industry.”

Key findings from CORL’s research are as follows:

  • Covered entities are not holding BAs accountable for investing in security.
    • Sixty percent of health industry vendors surveyed lack a dedicated security leader.
    • More than 50 percent of a health system's vendors are small, and certification rate typically drops to about 5 percent for these types of companies.
    • Many certifications provided by vendors do not relate to protecting PHI, such as SSAE-16 and PCI.
  • Health industry vendors fall behind significantly in investing and maintaining security certifications compared with vendors servicing other industries.
  • Non-health-specific companies such as Microsoft, Oracle, IBM and Google have multiple certifications including a combination of ISO, FedRAMP and SOC 2. Some are pursuing HITRUST and other health industry certifications. Microsoft Azure announced Jan. 3 that it is now HITRUST CSF Certified. The HITRUST Certification is one of the most widely recognized security accreditations in the health industry.
  • By contrast, there is no consistency in certifications for many other HIT and outsourced services companies, and 74 percent of BAs lack relevant security certifications.
  • Relevant certifications most often adopted by vendors servicing health industry providers and insurers:


Type of Certification

Percent Adopted by Vendors

ISO 27001: 2013

















1 Observing significant growth in healthcare     2 Not relevant to protecting PHI

“We believe a greater level of transparency in the relationship among providers, payers and vendors is achievable through adherence to industry standards, comprehensive security frameworks, and the attainment of their related certifications,” said Baker.

Baker recommends the following guidelines for hospitals, health systems, payers and BAs: 

  • Covered entities must take regulatory responsibility to understand the security risk to PHI created, received, maintained or transmitted by hired vendors and their subcontractors.
  • Security certifications give reasonable assurance about the safeguards in place to protect the data, and better determine risk and the related risk management plans to adopt.
  • A security certification is not a guarantee for security. It is, however, essential in helping organizations understand the safeguards in place to protect PHI.

About CORL Technologies

CORL Technologies in Atlanta is a leading provider of vendor security risk management solutions. The company was founded in 2012 to address the immediate need for vendor security intelligence. CORL’s Vendor Security Risk Management solutions are delivered as a managed service and are supported by expert research analysts who collaborate with an intelligence sharing community. With CORL, hospitals, health systems and payers can monitor risk with third-party vendors, ease compliance audits, and improve executive communications and risk-analytics reporting. Visit CORL at or follow on Twitter and LinkedIn.

# # #