Managing Third-Party Information Security Risk

Clinical laboratory provider Quest Diagnostics recently acknowledged that a billings collections vendor it works with suffered a data breach on its web payment system that may have exposed information of nearly 12 million of Quest’s patients.

The third-party company, Elmsford, N.Y.-based American Medical Collection Agency (AMCA), is contracted with Optum360 LLC, which in turn provides payment services to Quest.

This breach report once again shines a light on the information security concerns that come into play as electronic protected health information (ePHI) flows from covered entity to business associate.

Healthcare providers are increasingly outsourcing key business processes to third-party service providers, while also adopting new cloud-based technologies for initiatives such as telehealth, remote patient monitoring, and data analytics. As a result, they are sharing more ePHI with business associates than ever before.

Bad actors have come to realize that they can more easily get to a healthcare provider’s sensitive data by launching cyber attacks on these business associates rather than the provider itself. Recent data has shown that third-party vendors working with healthcare provider organizations accounted for more than 20 percent of breaches in the healthcare sector in 2018[1].

When it comes to vendor security practices, there are several issues that may put the client’s patients’ ePHI at risk.

Many covered entities and business associates either don’t understand what is required to meet the HIPAA Risk Analysis requirement and or simply elect not to perform the risk analysis. Those that don’t understand the requirement often confuse it with a controls gap assessment or perform the risk analysis at such a high level that they fail to identify risks to specific systems or components that then go insufficiently protected. Those that simply choose not to perform the risk analysis are demonstrating willful neglect in their compliance with HIPAA’s Security Rule.

In this case, we don’t know if AMCA performed a risk assessment and/or if they were aware of the risks associated with their payments’ website. What is clear is that either they were unaware of the risks, knew about the risks and chose to accept them and/or implemented controls that were insufficient, implemented incorrectly, or were not functioning as planned.

It is important that when an organization elects to use a third party, they do their due diligence and understand the risk associated with using that particular vendor. In addition to signing a business associate agreement, leading organizations now typically require third parties with whom they contract to answer security questionnaires describing in some detail their IT security program and in some cases also require the vendor to have regular testing of its security controls performed by an independent organization.

Unfortunately, these efforts often place third-party vendors in a conflicted position. 

On the one hand, they need to sign deals in order to stay in business. On the other, in order to make the deal, they must respond to the security questionnaires in a favorable way. As a result, there is an incentive to cast the organization’s security posture in as good a light as possible. Under these circumstances, it is very easy to cross the line into a misrepresentation. Leaders at third-party vendors need to be aware of this issue as do their clients.

Security as a differentiator

To avoid this dilemma, we find leading vendors are now using security as a differentiator. They are actively making the investment and taking the steps necessary to implement, test and document strong security controls. In so doing, they demonstrate to potential and existing customers that working with them poses less risk than working with a competitor.

[1] Source: https://healthitsecurity.com/news/third-party-vendors-behind-20-of-healthcare-data-breaches-in-2018

Can you trust your business associates to safeguard your patients’ private information the same way you do?

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Assumed Breach Simulation: Lateral Movement Explained

Assumed Breach Simulation: Lateral Movement Explained

A cyberattack doesn’t always start with an exposed perimeter. Sometimes, all it takes is a single compromised workstation — compromised through social engineering attacks, use of weak access management. To help clients gauge the potential for a breach to occur through these attack vectors, I and my colleagues on Clearwater’s Technical Testing team perform what is called assumed breach testing – a cybersecurity assessment that evaluates an organization’s ability detect, respond to, and recover from a breach.
RSA 2025 Recap: AI, Innovation, and Identity Take Center Stage

RSA 2025 Recap: AI, Innovation, and Identity Take Center Stage

The cybersecurity world descended on San Francisco last week for RSA Conference 2025, and Clearwater was proud to be there alongside our Redspin colleagues. From AI to identity, from innovation to infrastructure, this year’s RSA reflected both the rapid evolution of cybersecurity technology, and the mounting pressure on organizations to stay ahead of new threats. Here’s what stood out to our team on the ground.
Clearwater at RSA 2025: Spotlighting Healthcare Cybersecurity and Critical Infrastructure

Clearwater at RSA 2025: Spotlighting Healthcare Cybersecurity and Critical Infrastructure

Clearwater is heading to RSA this year, and we couldn't be more excited to join the global cybersecurity community from April 28–May 1 in San Francisco. With an impressive lineup of speakers, innovative sessions, and timely conversations about the future of cyber regulation, we’re looking forward to digging into what matters most to the healthcare sector—paying special attention to sessions on protecting our nation’s critical infrastructure.
No results found.

Connect
With Us