In 2023, the healthcare industry experienced the most data breaches since 2009. Healthcare organizations also continue to be the most common victims of third-party data breaches, with most of the breaches resulting from hacking.
While third-party vendors provide essential services to healthcare organizations – think: IT services, clinical support, data management, supply chain logistics, and more – they also present security risks that IT leaders in healthcare must carefully manage through comprehensive vetting and regular assessments.
In fact, several of the biggest data breaches in healthcare history were the result of third-party incidents, such as the breach of Medical Informatics Engineering (MIE), a developer of electronic medical record software, which suffered a data breach that impacted at least 11 of its healthcare provider clients.
Vetting Third-Party Vendors
Healthcare organizations can’t function without third-party partners. But these vendors also create a greater attack surface – more ways for bad actors to access systems or data.
When vetting a new third-party vendor, consider key areas like business continuity, data security, and compliance with major frameworks like HIPAA and PCI-DSS.
Then, start with the obvious questions: What systems or data will the vendor truly need access to? What will happen if they go down or services are interrupted? How do they ensure compliance with HIPAA? Who on their team will have access to PII and PHI, and how do they enforce access control?
Say your billing contractor says they need access to patient records – seems like a reasonable request. It’s still crucial to investigate how and who will access your data to ensure compliance and cybersecurity, and ensure your vendor is restricting access to the highest level of need-to-know.
But don’t stop there: Vet each potential vendor by evaluating its business practices, financial health, and security controls. Set clear expectations regarding compliance and security, and ask to review all relevant security policies, including the vendor’s business continuity plan.
Once you have determined what factors are most vital in the vetting process, develop a framework to use consistently for third-party risk management.
Developing Contracts
Once you have successfully vetted your vendor, involve your legal and compliance experts to develop a clear-cut contract that protects data and adheres to HIPAA, PCI-DSS, and any other applicable frameworks.
Your contract should also include an agreed-upon offboarding process to terminate access to systems and data when the contract ends.
Following signature, establish a regular cadence of meetings with your third-party vendor and make sure there is an open channel to communicate risks or incidents in real-time.
Create Open Communication and Effective Assessment Processes
In addition to continuous monitoring measures, it’s critical to implement a regular assessment schedule (monthly, quarterly, yearly – decide based on your vendor’s level of access and their criticality) so that any issues are rapidly brought to light.
The depth of your assessments should be tied to the sensitivity of the data the vendor is handling, the criticality of its operations, and the level of integration into the organization. As part of the assessment, make sure that if an issue is found, there is a mechanism to rapidly track and remediate the issue.
When it comes to cybersecurity, no amount of oversight is too great. If the prospect of third-party risk management feels daunting, engage a managed services provider specialized in healthcare to help you navigate its complexities and maximize defensibility to threats.
As healthcare organizations continue to digitally transform and face increasing risks, managing and responding to third-party vendor risk must be top-of-mind for IT and operational leaders.
Third-party risk management is just one of the many cybersecurity concerns healthcare leaders share. At TPx, we get it. Get in touch with our experts to get started.