Businesses in all sectors are increasingly relying on vendors and associates. This is especially true in healthcare, where functions such as billing are frequently performed by outside parties, and providers rely on various partners for services like imaging and diagnostics.

While third-party contractors provide benefits such as cost-savings, supplemental expertise and improved efficiencies, they also introduce new risks — by expanding healthcare network attack surfaces.

The risk is compounded by healthcare organizations’ rapid transition to electronic health records and connected medical devices. But they haven’t been nearly as quick to update their security infrastructures to handle the added risks.

A vulnerable security environment not only exposes the organization to regulatory problems; it also puts patient privacy and safety at risk. This means providers can no longer afford to ignore best practices both for deploying technology and selecting and managing vendors.

Risks to Relying on Third-Party Vendors and Associates

While the healthcare industry as a whole struggles with outdated infrastructure, individual medical providers simultaneously strive to deliver a seamless treatment delivery experience for patients.

This means that protected health information needs to be accessible to a variety of parties outside the organization — and the providers themselves who need access to that information anytime and anywhere. A growing number of healthcare organizations are moving data to the cloud in response.

Bad actors have caught on, and are increasingly targeting smaller vendors with relatively weak security defenses as a roundabout way to breach the larger. In the healthcare sector, at least a quarter of breaches in the last few years have been linked to a third party like a business associate or vendor.

Several studies have shown that across all industries, a large number of organizations don’t have processes and policies to manage third-party risks. This is especially concerning for healthcare organizations liable for HIPAA violations, regardless of which party failed to prevent exposure of patient records. To avoid the costs of noncompliance and compromised patient privacy and/or safety, healthcare organizations need to take proactive steps to mitigate the risks of entrusting various business functions to third-parties.

Best Practices to Help Mitigate Risks

• Implement a third-party risk-management program — including processes for ensuring that vendors and business associates have appropriate technologies to mitigate data loss.
• Evaluate the vendor’s security posture — before you select contractors/vendors or business associates, assess and audit their cybersecurity readiness and privacy policies.
• Review your business agreements — they should specify procedures for third-party reporting of cybersecurity incidents, as well as how and why sensitive information can be used.
• Assess risks in your supply chain — ensure you know who has access to sensitive data outside your organization and how access is managed.

Infogressive offers comprehensive security solutions to secure all the moving parts of complex healthcare networks. Our managed IT security services can fit the smallest medical practice to the largest providers and insurers.