Managing Third-Party Information Security Risk

Clinical laboratory provider Quest Diagnostics recently acknowledged that a billings collections vendor it works with suffered a data breach on its web payment system that may have exposed information of nearly 12 million of Quest’s patients.

The third-party company, Elmsford, N.Y.-based American Medical Collection Agency (AMCA), is contracted with Optum360 LLC, which in turn provides payment services to Quest.

This breach report once again shines a light on the information security concerns that come into play as electronic protected health information (ePHI) flows from covered entity to business associate.

Healthcare providers are increasingly outsourcing key business processes to third-party service providers, while also adopting new cloud-based technologies for initiatives such as telehealth, remote patient monitoring, and data analytics. As a result, they are sharing more ePHI with business associates than ever before.

Bad actors have come to realize that they can more easily get to a healthcare provider’s sensitive data by launching cyber attacks on these business associates rather than the provider itself. Recent data has shown that third-party vendors working with healthcare provider organizations accounted for more than 20 percent of breaches in the healthcare sector in 2018[1].

When it comes to vendor security practices, there are several issues that may put the client’s patients’ ePHI at risk.

Many covered entities and business associates either don’t understand what is required to meet the HIPAA Risk Analysis requirement and or simply elect not to perform the risk analysis. Those that don’t understand the requirement often confuse it with a controls gap assessment or perform the risk analysis at such a high level that they fail to identify risks to specific systems or components that then go insufficiently protected. Those that simply choose not to perform the risk analysis are demonstrating willful neglect in their compliance with HIPAA’s Security Rule.

In this case, we don’t know if AMCA performed a risk assessment and/or if they were aware of the risks associated with their payments’ website. What is clear is that either they were unaware of the risks, knew about the risks and chose to accept them and/or implemented controls that were insufficient, implemented incorrectly, or were not functioning as planned.

It is important that when an organization elects to use a third party, they do their due diligence and understand the risk associated with using that particular vendor. In addition to signing a business associate agreement, leading organizations now typically require third parties with whom they contract to answer security questionnaires describing in some detail their IT security program and in some cases also require the vendor to have regular testing of its security controls performed by an independent organization.

Unfortunately, these efforts often place third-party vendors in a conflicted position. 

On the one hand, they need to sign deals in order to stay in business. On the other, in order to make the deal, they must respond to the security questionnaires in a favorable way. As a result, there is an incentive to cast the organization’s security posture in as good a light as possible. Under these circumstances, it is very easy to cross the line into a misrepresentation. Leaders at third-party vendors need to be aware of this issue as do their clients.

Security as a differentiator

To avoid this dilemma, we find leading vendors are now using security as a differentiator. They are actively making the investment and taking the steps necessary to implement, test and document strong security controls. In so doing, they demonstrate to potential and existing customers that working with them poses less risk than working with a competitor.

[1] Source: https://healthitsecurity.com/news/third-party-vendors-behind-20-of-healthcare-data-breaches-in-2018

Can you trust your business associates to safeguard your patients’ private information the same way you do?

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Clinical Research Organizations: M&A Goldmine or Data Liability? Why Cybersecurity Must Be on Every Investor’s Radar

Clinical Research Organizations: M&A Goldmine or Data Liability? Why Cybersecurity Must Be on Every Investor’s Radar

The market for clinical trials is experiencing significant momentum in mergers and acquisitions (M&A). Private equity (PE) investment in Clinical Research Organizations (CROs) and Site Management Organizations (SMOs) is being spurred by site consolidation, expansion of specialized services, and technology innovation. These firms are important players in the pipeline of drug development and the best targets for investors who wish to capitalize on healthcare innovation.
8 Easy Ways to Prepare for an OCR HIPAA Compliance Audit

8 Easy Ways to Prepare for an OCR HIPAA Compliance Audit

The Office for Civil Rights (OCR) has officially launched its third round of HIPAA audits, following previous assessments in 2012 and 2016.  Learn 8 easy ways to prepare for an OCR HIPAA compliance audit and safeguard your health information against rising cyber threats. Past audits revealed widespread compliance gaps, prompting increased oversight.
OCR’s Proposed HIPAA Security Rule Notice of Proposed Rulemaking

OCR’s Proposed HIPAA Security Rule Notice of Proposed Rulemaking

In Part 1 of this blog, I provide an overview of OCR’s proposed changes to the HIPAA Security Rule, some commentary on the background, rationale and the potential impact on healthcare, descriptions of key changes in definitions, and OCR’s broader themes. In Part 2, I will dive into specific proposed new or updated standards and implementation specifications and speculate on what may happen next.

Connect
With Us


Let us know who referred you, if you went to an event, found us in search, or liked one of our LinkedIn posts.