Business-Associates-Not-Prepared-For-HITRUST-Healthcare | KPMG | US
Share with your friends

Two-Thirds Of Business Associates Not Fully Prepared For HITRUST Healthcare Data Security Standard: KPMG Survey

Business Associates Not Prepared For HITRUST Healthcare

Nearly half don’t have qualified staff to execute against HITRUST CSF provisions


Related content

Two-thirds of business associates are not fully prepared to meet the growing marketplace demands regarding controls for protecting healthcare information, such as patient records, according to a survey conducted by KPMG, the “big four” audit, tax and advisory firm.

“An increasing number of healthcare organizations are requiring their vendors to demonstrate controls for securing PHI (protected health information) to manage their cyber and regulatory risks, especially since healthcare information is a rich target for hackers,” said Emily Frolick, third-party risk and assurance leader for KPMG’s Healthcare practice. “These vendors are able to accomplish this through a SOC 2® + HITRUST CSF examination or a HITRUST CSF Certification, both of which enable vendors to communicate their good faith effort to protect patient information.”

“Neither is mandatory under current law, but the marketplace wants to reduce risks tied to cybersecurity with third-party assurances concerning their data protection efforts,” Frolick added.

In a survey of 604 professionals during a KPMG webcast targeting vendors to the healthcare industry, half of those surveyed were “not ready” and 17.4 percent were in planning stages for a HITRUST (the Health Information Trust Alliance) CSF assessment – an internal control-based approach that allows organizations to proactively assess and demonstrate the measures they have taken to protect healthcare information.

The HITRUST CSF is a privacy and security framework for organizations who create, maintain, transmit or receive PHI to assess the level of readiness and soundness of their control environment. The framework, in conjunction with SOC 2, a report to examine controls at a service organization developed by the American Institute of Certified Public Accountants (AICPA), is also used by third-party assessors, such as KPMG, to review security controls.

KPMG, which is a HITRUST Qualified CSF Assessor, assists organizations across the security and information protection lifecycle from strategy through execution. The firm also assists organizations to rationalize healthcare-relevant regulations and standards pertaining to information protection.

7 percent HITRUST ‘ready’

Regarding the progress that organizations have made to address HITRUST CSF requirements, only 7 percent said they are completely ready and 8 percent described their organization as “well along implementation.” The remainder (17.4 percent) were in early stages of implementation.

When asked about staffing capabilities to meet this standard, 47 percent responded that they did not have the “right staff with the right level of skills to execute against the HITRUST CSF.” The survey found 53 percent did. Respondents found that staffing (15 percent) was the biggest barrier to HITRUST CSF readiness, finishing ahead of cultural, technological, and financial concerns. More than a quarter (27 percent) pointed to all of those factors and 23 percent said “none of the above” were barriers.

KPMG compiled the survey results during a webcast, which was titled “Evolving Information Security Demands in Healthcare – SOC 2® + HITRUST” (click for replay), on Aug. 23, when HITRUST Chief Compliance Officer Ken Vander Wal and KPMG partners and professionals spoke about meeting healthcare organizations’ expectations and obtaining a SOC 2 attestation covering AICPA trust services principles and HITRUST CSF criteria.

Building upon Forrester top ranking

Forrester Research listed KPMG as the top firm in cybersecurity in 2016. KPMG also developed and conducted audits and set criteria to comply with the Health Insurance Portability and Accountability Act (HIPAA), which governs information protection and privacy of patient data.

KPMG’s role as a HITRUST Qualified CSF Assessor looks at both risk and compliance requirements to address security, availability, and confidentiality control baselines for healthcare organizations. “It is critical that every organization move quickly to receive a third-party assessment for peace of mind and to show their business partners and stakeholders that they are safeguarding PHI,” said Michael Ebert, cyber leader for KPMG’s Healthcare Practice.


KPMG LLP, the audit, tax and advisory firm (, is the U.S. member firm of KPMG International Cooperative (“KPMG International”). KPMG International’s member firms have 174,000 professionals, including more than 9,000 partners, in 155 countries.


Bill Borden

Connect with us


Request for proposal