Adopt Third-Party Risk Management to Protect Health System Data

The following is a guest article by Hilary Jewhurst, Head of Third-Party Risk Education & Advocacy at Venminder.

The growth in the healthcare industry has resulted in an increase in the use of third parties to provide competitive products and services, making healthcare data more vulnerable than ever. As hackers become more sophisticated and creative, phishing, denial of service (DoS), and malware are on the rise. And cyberattacks and data breaches resulting from third parties are everywhere.  

Recently, a large organization found itself the subject of a class action lawsuit after one of its medical record services vendors exposed the information of 65,000 patients. How was the data compromised? Patient data was disclosed by a vendor’s employee for unauthorized training purposes. Even worse, the breach went undetected for months, and the organization failed to notify patients in a timely manner. 

As technology evolves, malicious actors have more opportunities to attack and steal organizational and patient data. This means healthcare organizations need to ensure they have robust data protection controls in place and that their vendors do too.

4 Third-Party Risk Management Actions to Protect Health System Data

Data must be protected to the best of the organization’s ability. As a best practice, include the following in your third-party risk management process to protect health system data:

  1. Review the vendor’s security processes and controls during vendor selection. Make sure you have a complete understanding of their procedures by performing due diligence. By understanding their controls, you’ll be able to determine whether they are adequate or whether additional controls are needed to protect health system data. There should be authentication systems, intrusion prevention systems, and processes for breach notification and remediation. 
  2. When reviewing and negotiating the contract, make sure you include data protection and notification clauses. Include a right to audit clause that allows you to request documentation as needed. You should also include breach notification clauses that require the vendor to notify you in a timely manner in the event of a breach. 
  3. Maintain regular security training and awareness. Teach your employees and vendors how to recognize a phishing attack and provide instructions on the steps to take if they encounter one. Performing routine phishing simulations to test employees can help everyone remain aware and vigilant.
  4. Continuously monitor and assess your vendors’ security plans. Although the vendor may seem secure initially, it isn’t guaranteed they’ll remain that way. Information requests and assessments must be conducted on a regular basis. 

It’s extremely important for health systems to adopt third-party risk management programs that protect their data from third-party breaches. You can use the third-party risk management process to evaluate your vendors’ security measures and to develop a framework for monitoring them consistently over time.

About Hilary Jewhurst

Hilary leads the advancement and promotion of third-party risk management best practices and solutions through thought leadership, subject matter expertise, and support for Venminder’s customers, Marketing, Sales, and Third-Party Risk divisions. Hilary has served as a senior leader for over 20 years, working in operations management, and risk management roles, with an emphasis on third-party risk. Hilary successfully built, improved, and managed enterprise-wide third-party risk management frameworks and programs for leading financial services companies. She has designed and developed training materials, reference guides, desk-top procedures, job aids, checklists, and templates for a full spectrum of learning environments and learners as well as personally trained hundreds of third-party risk managers, vendor relationship managers, and vendors.

Venminder is a proud sponsor of Healthcare Scene.

   

Categories