Third-Party Risk Management Actions to Avoid Data Breaches

The following is a guest article by Aaron Kirkpatrick, CISSP, CRISC, CIPM, GCIH, GCC, Chief Information Security Officer at Venminder.

Without a doubt, the healthcare industry is growing and thriving. It’s one of the world’s largest and fastest-growing industries, and the global healthcare market will reach $665.37 billion by 2028. As the industry grows, more service and operational needs arise, resulting in increased outsourcing, and additional vendor risk.

It’s not uncommon for vendors to have access to sensitive patient data, such as electronic health records (EHRs) and patient communications. Therefore, you need to ensure your healthcare organization’s vendors and business associates, also known as high-risk vendors, have processes to protect data and prevent cybercriminals from hacking their databases.

Consequences of a Vendor Data Breach

It’s not IF your vendor is breached, but when. It’s important to consider this since a vendor data breach can have serious consequences. Here are some examples:

  1. Fines or other monetary consequences
  2. Losing the confidence and trust of patients
  3. Increased regulatory scrutiny
  4. Reputational damage

Protecting Your Organization Through Third-Party Risk Management (TPRM) Actions

You may be wondering, “what can I do?” To protect your healthcare organization from cyberattacks, lost patient trust, reputational damage, and the other negative consequences of a data breach, third-party risk management is essential. An effective third-party risk management program ensures there are documented and comprehensive response plans in case of a cyberattack. In the event of a breach, being prepared can greatly reduce the impact.

Below are six actions to take:

  1. Review your vendors’ information security controls. Review evidence of controls in place such as policies to govern actions, procedures around access and the storage and processing of data, and validation of such controls through third-party audit reports and penetration tests before signing a contract and as part of monitoring them on an ongoing basis.
  2. Ensure the vendor contractually agrees to notify you of a data breach as soon as possible, especially if it is a vendor with access to PHI. This is a HIPAA requirement for business associates.
  3. Identify various scenarios and plan your course of action accordingly. If an attack is launched against your healthcare organization or one of its vendors, you should already have your response ready.
  4. Plan your communication strategy. Your team, especially those involved in vendor risk management, needs to know whom to contact and when. You must also develop a patient communication plan, outlining what needs to be said and when. This is essential to maintaining a good reputation.
  5. Establish a response team, such as the incident management team. Ensure they work closely with senior management, vendor risk management, business owners, and anyone else who needs to be involved.
  6. Be sure to follow through with your plan. This will help protect your organization’s reputation!

Even though you can’t prevent every breach, third-party risk management and developing your plan early in the process can certainly help your organization avoid many potential breaches. And strong third-party risk management practices make protecting patient and organization data much easier.

About Aaron Kirkpatrick

Aaron is a Certified Information Systems Security Professional (CISSP) who has acquired a wide range of organizational, technical, and compliance knowledge, applying it within data center and financial institution services sectors. He’s created and successfully led security, risk, and audit programs, including SOC engagements, for data centers and a financial application company, transitioning to Internal Audit at one of the largest financial system providers.

He has paired a technical degree in Network Administration and Engineering with a Bachelor’s degree in Management Information Systems. Relevant professional certifications include: ISACA’s Certified in Risk and Information Systems Control (CRISC), Certified Information Privacy Manager (CIPM), GIAC Certified Incident Handler (GCIH), and GIAC Critical Controls Certification (GCCC).

Venminder is a proud sponsor of Healthcare Scene.

   

Categories