What do Target, Home Depot and Goodwill have in common? If you guessed that they all suffered large and embarrassing data breaches due to a 3rd party supplier/vendor, then pat yourself on the back for knowing at least a little about data breach trivia.
All joking aside, for many security leaders these breaches have shed a spotlight on the fact that an organization’s cyber security program is only as good as the weakest link in their supply chain.
By law healthcare providers and other covered entities must require their Business Associates (BAs), and the BA’s subcontractors, to implement the HIPAA Security Rule requirements and adequately safeguard all Protected Health Information (PHI) in their custody. Most of the organizations that we talk to are fully aware of these issues and have well written Business Associate contracts in place. Even so, many still struggle to effectively manage their 3rd party risk due to the fact that they lack any meaningful visibility into their BAs’ security and compliance management programs.
Part of the challenge is that beyond a signature on a contract, organizations still don’t have any real assurance that their suppliers are actually doing what they should be doing. Furthermore, most healthcare providers security and compliance teams are already stretched thin and lack the resources (and possibly the legal authority) required to conduct security reviews and risk assessments of their BAs. A recent Protivity study on 3rd party risk management concluded that many organizations lack 1) the skills and expertise, and 2) the right tools and processes to effectively manage their 3rd party risk.
The bottom line is that every Healthcare Provider relies on an ever changing ecosystem of dozens or even of hundreds of business partners to provide cost effective care to their patients. These partners provide a wide range of business, IT, and medical services that require Providers to share vast amounts of protected information and often provide direct access to their networks and systems. At a business level, these relationships rely on some level of trust between both parties. That said, these relationships can represent a significant amount of risk to a Provider, making it prudent for all organizations to adopt a “Trust but Verify” strategy when it comes to 3rd party risk management. Given the challenges they face, Providers need a cost effective way to improve their 3rd party risk visibility, and to receive ongoing assurances from their partners that they are keeping their security and compliance programs up to date.
References:
1. Breaches Affecting More than 500 Individuals | HHS.gov
2. Business Associate Contracts | HHS.gov
3. 2015 Vendor Risk Management Benchmark Study
