As a provider organization(s) we have relationships with third party vendors: labs, insurance companies, referral physician(s), etc. as they handle provider(s) patient’s information. But what happens if the following occurs:
- The third-party vendor has a breach, and we find out via news media.
- What are the total third party vendors who have access and what kind of access?
- Who are the indirect vendors for our organization?
The key question is “how is our patient(s) PHI processed or accessed by the third-party vendors?” This has the potential to negatively impact our business performance.
“PWC 2015 US State of Cybercrime Survey found that 23% of organizations do not evaluate their third-party vendors”. The HIPAA rules obligate a covered entity to monitor the activities of its vendors. The law also states that an organization must monitor any owner of a vendor entity with more than 5% stake in the company.
Like most organizations, provider(s) rely on the BAA (Business Associate Agreements). A HIPAA business associate agreement (BAA) is a contract drawn between a HIPAA-covered entity and a HIPAA business associate (BA). The contract protects personal health information (PHI) in accordance with HIPAA guidelines. The document outlines privacy and security assurances.
The provider organization(s) is also liable for the inherent risk for third party vendors who process our PHI.
The current reality is, many provider organization(s) do not monitor their vendors. They cite that the BAA covers or protects them. The reasons cited for not monitoring the vendors are resources: time, people and money. Maybe the vendor does not allow monitoring or some confidence factors. Other factors cited are aggregating vendor cyber security data and monitoring the data (as they are from different systems). This is cost prohibitive.
Where to Start?
As part of due diligence, many organizations run a D&B report on the vendor. This should be augmented with other documents:
- Cyber breach survey / GAP analysis
- Current policies and procedures, etc.
The key is to capture the vitals of the third-party vendor’s organization. Based on the data a decision needs to be made as to the overall risk assessment of the vendor. Monitoring should be based on the level of risk presented to the covered entity. (For e.g. – hosting vendor, labs, referrals, etc.).
It only takes one third party breach for a hacker to reach your network - and most companies have thousands of vendor relationships.
At MindLeaf (www.mindleaf.com) we have been protecting patient privacy by ensuring the providers have the right procedures, policies and tools to monitor privacy AND Vendor risk management.
At MindLeaf (www.mindleaf.com) we have been conducting “Healthcare Breach Security Assessment” for healthcare and life sciences organizations. The Breach Security Assessment is complementary and it analyzes your current security breach posture and level of maturity.
Managing risk is hard, but successful vendor risk management is a key variable in the overall compliance of the provider organization. In short, an effective vendor risk management policy will ensure that the mistakes/breach your vendors make will not become your organization(s) problem.
As our former President Lincoln said, “I will prepare and someday my chance will come.”