Third-Party Risk Management: Keeping Your Healthcare Organization’s Information Safe

As the person in charge of your healthcare organization’s information technology, one of your responsibilities is protecting patients’ and clients’ information. This can be difficult because third-party vendors with whom you contract can unwittingly jeopardize the security of that information. But you can take steps today to help prevent those problems tomorrow.

Data breaches are increasingly on the minds of every C-suite executive in healthcare. Reading about security breaches can make the mightiest execs groan at the possibility something like that could happen to their healthcare organization.

Take the recent case of Quest Diagnostics, a medical testing company. An unauthorized user recently gained access to a third-party billing collections vendor with whom they contracted, American Medical Collection Agency, and gained access to financial data, Social Security numbers and medical data. The breach affected about 11.9 million patients.

Days later, another company that contracts AMCA’s services, LabCorp, was notified it, too, had been breached. From August 2018 to March 2019, the hacker was able to access names, addresses, birthdays, phone numbers, dates of service, account balances and other information. The breach also exposed credit card and bank numbers attached to roughly 200,000 accounts.

Retrieval-Masters Creditors Bureau Inc., which collects patient receivables for medical labs under the name American Medical Collection Agency, has filed for Chapter 11 protection, citing fallout from the security issue. They say they plan to liquidate.

The Identity Theft Resource Center (ITRC), which has tracked security breaches since 2005, found the healthcare field had the second largest amount of breaches in 2018 (the business sector was first) and the highest rate of exposure per breach. The ITRC also notes, “Reporting parties aren’t always the target. Many of those reporting incidents were compromised through third-party vendors.”

The Information Systems Audit and Control Association (ISACA) defines third-party risk management (TPRM) as “The process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company.”

TPRM can help you gauge the current state of your information security using comprehensive assessments that measure security based on numerous controls. If properly executed, often in partnership with a credible and experienced TPRM firm, a thorough third-party assessment will identify gaps in the organization’s security program. Together, you can then work to address those gaps, greatly improving the security of your data. A well-informed firm can also help you keep up with the ever-changing security landscape to make sure you stay on top of trends and innovations that can help you keep your information secure.

Sean Friel is the CEO of Intraprise Health.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Employees don’t feel prepared to navigate an increasingly dangerous world, and they expect their employers to not only care about their personal safety, but to actively keep them safe.