Managing Third-Party Information Security Risk
Clinical laboratory provider Quest Diagnostics recently acknowledged that a billings collections vendor it works with suffered a data breach on its web payment system that may have exposed information of nearly 12 million of Quest’s patients.
The third-party company, Elmsford, N.Y.-based American Medical Collection Agency (AMCA), is contracted with Optum360 LLC, which in turn provides payment services to Quest.
This breach report once again shines a light on the information security concerns that come into play as electronic protected health information (ePHI) flows from covered entity to business associate.
Healthcare providers are increasingly outsourcing key business processes to third-party service providers, while also adopting new cloud-based technologies for initiatives such as telehealth, remote patient monitoring, and data analytics. As a result, they are sharing more ePHI with business associates than ever before.
Bad actors have come to realize that they can more easily get to a healthcare provider’s sensitive data by launching cyber attacks on these business associates rather than the provider itself. Recent data has shown that third-party vendors working with healthcare provider organizations accounted for more than 20 percent of breaches in the healthcare sector in 2018.
When it comes to vendor security practices, there are several issues that may put the client’s patients’ ePHI at risk.
Many covered entities and business associates either don’t understand what is required to meet the HIPAA Risk Analysis requirement and or simply elect not to perform the risk analysis. Those that don’t understand the requirement often confuse it with a controls gap assessment or perform the risk analysis at such a high level that they fail to identify risks to specific systems or components that then go insufficiently protected. Those that simply choose not to perform the risk analysis are demonstrating willful neglect in their compliance with HIPAA’s Security Rule.
In this case, we don’t know if AMCA performed a risk assessment and/or if they were aware of the risks associated with their payments’ website. What is clear is that either they were unaware of the risks, knew about the risks and chose to accept them and/or implemented controls that were insufficient, implemented incorrectly, or were not functioning as planned.
It is important that when an organization elects to use a third party, they do their due diligence and understand the risk associated with using that particular vendor. In addition to signing a business associate agreement, leading organizations now typically require third parties with whom they contract to answer security questionnaires describing in some detail their IT security program and in some cases also require the vendor to have regular testing of its security controls performed by an independent organization.
Unfortunately, these efforts often place third-party vendors in a conflicted position.
On the one hand, they need to sign deals in order to stay in business. On the other, in order to make the deal, they must respond to the security questionnaires in a favorable way. As a result, there is an incentive to cast the organization’s security posture in as good a light as possible. Under these circumstances, it is very easy to cross the line into a misrepresentation. Leaders at third-party vendors need to be aware of this issue as do their clients.
Security as a differentiator
To avoid this dilemma, we find leading vendors are now using security as a differentiator. They are actively making the investment and taking the steps necessary to implement, test and document strong security controls. In so doing, they demonstrate to potential and existing customers that working with them poses less risk than working with a competitor.
 Source: https://healthitsecurity.com/news/third-party-vendors-behind-20-of-healthcare-data-breaches-in-2018