Large corporations and government agencies are increasingly suffering data breaches stemming from lax security on the part of their service providers. Investigators are learning that the gigantic breach at the Office of Personnel Management this summer may have been the result of two previous hacks experienced by its subcontractors.

This article was originally published on CFO.com

In the health-care field, almost one in four of organizations reporting data breaches are service providers (called “business associates” by the Office for Civil Rights). Here are some recent examples:

According to the HIPAA Omnibus Final Rule, health-care providers and their business associates are equally responsible for protecting health information, but covered entities (hospitals, health plans, providers, etc.) are still responsible for ensuring the notification of patients whose records have been compromised — and that can be costly.

Strengthening Service Provider Security

Here are some practical ways for organizations — not just those in healthcare — to improve data security efforts by service providers:

Conduct a comprehensive inventory of all service providers — This will likely be a long list because it should include not just electronic transaction firms but outside attorneys, IT contractors, auditors, etc.

Determine which ones pose the greatest risk – Some service providers have access to information so sensitive that its compromise could cripple your organization. Keep a watchful eye on these service providers, but don’t assume that certain types of companies are risk-free. For example, investigators now think it’s possible that the huge Target breach in 2013 started with a “phishing” expedition into a Target HVAC service provider’s website, which was connected to the retailer’s supplier portal. Some investigators surmise that the hackers gained access to the portal, then were able to burrow into Target’s payment systems.

Vet all service providers and be ready to switch if problems arise — Ask prospective partners to provide specifics on any previous breaches they’ve experienced and the remediation steps they took to prevent subsequent ones. Find out where information will be stored (overseas or U.S.) and how data will be returned or destroyed if the contract gets terminated. And it’s always wise to have a Plan B — a pre-screened service provider that can step in quickly to replace a problem-plagued one.

Carefully review all contracts — There should be language in every contract that details the service provider’s responsibilities and liabilities in the event of a breach (e.g., background checks before hire, return or disposal of heath records upon contract termination, encryption of data at rest or transmission, and notification within five working days of a suspected or confirmed breach).

Demand an annual risk analysis — Every service provider should provide annual attestation that it has performed a bona fide information risk analysis.

Thoroughly document all the above activities — This provides evidence of a good-faith effort to bolster data security, which can help reduce penalties, fines, or lawsuits arising from a breach by the service provider.

In our increasingly networked world, companies with spotless records in data security can get burned if one of their service providers gets careless. Taking these proactive measures can help ensure that every link in the security chain stays strong.

This article was originally published on CFO.com

Mary Chaput

CFO & Chief Compliance Officer at Clearwater Compliance
Mary has 35 years of international and domestic business experience spanning the healthcare, information services, manufacturing and venture capital consulting industries.She is Clearwater’s CFO and Compliance Officer. As an experienced corporate CFO and risk manager, Mary works actively with customers and prospects to identify and prioritize their risks and to develop effective remediation plans within their budgets.