Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity Enterprise ServicesSecurity Leadership and ManagementHospitals & Medical Centers

Three Reasons Healthcare CISOs Can’t Ignore Vendor Compliance

CISOs must prioritize vendor compliance to protect their company and patients from risk and avoid reputational damage, expensive penalties, and other financial impacts.

By John Schneider
Healthcare Data Compliance: Maintaining Integrity, Privacy and Security
July 18, 2019

The risk of a cyberattack against healthcare organizations is growing rapidly, with some 83 percent of health CISOs reporting an increased number of attacks in the past year.

While most consumers think attackers are after their personal healthcare data—diagnoses, treatments, and other private information—the truth is, most attackers couldn’t care less. Their ultimate goal is to inflict financial harm to the business by destroying or locking up critical data, or exploit financial data using ransomware. A cyberattack on a hospital, doctor’s office, or health plan can bring patient care and revenue inflow to a screeching halt.

Beyond their own IT landscape, healthcare CISOs must contend with the security posture of their vendors—everything from email service providers to customer service widgets to coding services. In fact, vendor compliance is now the biggest concern among healthcare CISOs, surpassing the loss of patient data and growing sophistication of cyberattacks.

This concern is well-founded. Most healthcare organizations rely on a multitude of vendors, and security risk is additive. The more vendors in the mix, the greater the risk of a cyberattack crippling the entire value chain.

For better or worse, plans and providers are ultimately responsible for not only their internal security compliance but that of all their vendors as well. A cybersecurity breach at any point in the ecosystem can directly impact the organization in three potentially devastating ways:

Reputation damage. Healthcare organizations are required to report any breach, which is published by the Health and Human Services’ Office for Civil Rights (OCR)—also known as the “Wall of Shame.” In fact, the number of reported breaches recently reached an all-time high, which gained considerable press coverage. Not only is this information available to the public (including potential patients), but healthcare providers and other entities monitor these reports as well. A breach involving a company’s vendors can severely impact its reputation.

Penalties. Under HIPAA, companies found in breach of the law can face substantial federal fines that range from $100 to $50,000 per violation or record. In some extreme cases, the OCR has even pursued criminal charges against offending organizations. These are serious risks to both a company’s bottom line, and potentially, the offender’s job security if the organization’s security measures (or that of its vendors) are found to be negligent.

Financial impact. In addition to penalties, cybersecurity breaches cost companies $45 billion dollars in 2018 alone. The average cost to recover from a breach is $3.86 million for companies that have been attacked, with the biggest impact in the form of downtime and lost business.

To avoid putting their healthcare organization at risk, healthcare CISOs must:

Establish vendor compliance requirements. While HIPAA is the most common compliance framework in the industry, it only covers patient privacy, not payment security or other protocols. In addition to HIPAA, consider requiring HITRUST certification, PCI-DSS to govern payment integrity, and SOC2 compliance for additional management and process controls, backups, and physical security.

Ensure that technology AND process constraints are included. All the technology in the world won’t help if an organization’s coding vendor allows its employees to work at the local Starbucks on an unsecured public network. Require prudent work practices and processes, including robust permissions and access controls.

Conduct routine audits. Demanding that vendors are compliant is futile if you don’t validate through frequent audits. Yes, this takes time and the right expertise to conduct this process efficiently. However, given the substantial risk to a company’s bottom line in the event of a breach, it may be worthwhile to invest in third-party assistance from an auditing firm. This not only ensures that audits are completed in a thorough, timely, and regular manner, but also provides third-party validation and liability in the event a breach does take place.

Relying on industry vendors to have security measures in place without verifying regularly against your own standards puts healthcare organizations at grave risk of a breach. While it may seem like a big investment of resources to audit and monitor vendor for compliance, the alternative expense of disaster recovery and breach impacts is a far bigger price to pay.

By working with vendors who can demonstrate compliance with third-party audit verification, healthcare organization CISOs can rest a little easier, knowing they’ve done all they can to protect their organization.

KEYWORDS: CISO cybersecurity healthcare security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Johnschneider

John Schneider is CTO of Apixio and has more than 25 years of software technology and product development experience with special skills in cross-functional management across research, product, and engineering. John holds a BSE degree from Columbia University’s School of Engineering and Applied Science.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Healthcare Data Compliance: Maintaining Integrity, Privacy and Security

    Why hospitals can’t ignore this cybersecurity awareness month

    See More
  • security-automation-freepik1170.jpg

    5 reasons automation can't take over cybersecurity

    See More
  • business software vendor

    3 steps for CISOs to ensure third-party vendor security

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing