Brian Jackson - Fotolia
The recent breach that affected Quest Diagnostics Inc. and Laboratory Corporation of America Holdings underscores the importance of third-party risk management when sharing patient information with contractors.
The breach, which potentially exposed the data of 20 million patients, didn't happen on Quest or LabCorp systems. Instead, it happened on systems owned by a bill collection service provider, American Medical Collection Agency (AMCA). The breach occurred via AMCA's web payments portal.
It's not the first breach of its kind, as third-party breaches that affect covered entities are on the rise, according to health IT and information security expert Kate Borten, president of The Marblehead Group LLC. But it should be a warning sign to healthcare CIOs.
They need to recognize the trust patients put into a healthcare organization's data security program, and they should take the necessary steps to minimize risk by doing due diligence, according to Kristina Podnar, digital policy consultant and author of The Power of Digital Policy.
"Are you doing enough to actually take precautions and vet your vendors enough that you can say, 'Hey, they're securing your information enough, and we're minimizing the amount of information they have access to. So, if there is a breach, it's limited,'" she said.
Six steps to third-party risk management
Podnar outlined six steps that healthcare CIOs should take when it comes to third-party risk management.
1. Limit the organization's exposure
Podnar said there is a growing pattern where an original entity contracts for data management services from one company that then taps another company to manage a portion of the data, creating a chain of outsourcing that can leave CIOs out of the loop.
Take Quest Diagnostics, for example. The medical testing company used Optum360 for revenue management services. Optum360 used AMCA for bill collection services, which experienced a recent breach of data that may affect 12 million Quest Diagnostics patients.
While the details of the breach are still emerging, Podnar said healthcare CIOs have an obligation from an ethical, moral and fiduciary perspective to know and understand who has access to what data. Discussing risk and opportunity is one way to determine and limit exposure, she said. For example, if there's an opportunity to outsource billing payments, the immediate next step should be to figure out what risk the organization takes on by doing so.
"As you're doing that, you want to make sure that you're developing a written set of requirements for vendors," Podnar said. "A lot of organizations don't bother to do that."
2. Conduct risk assessments
It's not only important for CIOs to understand their organization's security strategy and conduct internal assessments; it's also important to know that about a third-party service provider. That's especially the case when the shared data is sensitive, Podnar said.
CIOs can start by assessing the company's online presence, including the company website. Broken links and outdated website copyrights are red flags.
"If they don't have their ducks in order, they're not going to do any better by you," she said.
3. Determine what information should be shared
In a major security breach in 2018 that affected 150 million customers, Under Armour's architecture kicked in, according to Podnar. The retail giant segregated customer data from payment data, only exposing names and passwords, rather than credit card information.
"Having a multi-tier architecture and making sure you put different types of controls on different types of data is critical," she said.
4. Talk about cybersecurity strategy
As part of their third-party risk management strategy, healthcare CIOs need to ask questions like the following:
- How will they secure data the company shares with them?
- What are their security practices?
- Do they have documentation verifying their security practices?
- Are they looking for the CIO organization's security requirements?
"If the vendor is saying, 'We can process this data for you,' but they are not concerned about the kind of requirements or security you care about, then that's probably a shoddy vendor," Podnar said.
Leigh-Anne Galloway, cybersecurity resilience lead at enterprise security provider Positive Technologies in Framingham, Mass., echoed Podnar. CIOs should state the organization's criteria and information security requirements when trusting third-party vendors with sensitive information. If the third-party service provider doesn't fit the criteria and isn't ready to guarantee the security requirements as stated, then a contract with the organization should be avoided.
CIOs can also initiate an information security audit to ensure the reliability of a third-party provider's security, Galloway said.
5. Establish a verification process
Kristina PodnarDigital policy consultant
CIOs can't always rely on third-party organizations to create their own verification process for security protocols, according to Podnar. So, it's up to the original organization to establish a verification process to determine if a third party's security protocols are up to par.
Quest Diagnostics, for example -- one of the companies affected by the AMCA breach -- suffered a breach before in 2016 that exposed the data of 34,000 patients. Podnar said she believes the two breaches in less than three years could be an indicator that the company doesn't have the right people internally to establish proper verification and security processes and to test them.
6. Test security processes
Every healthcare CIO should be thinking about how to test a third party's security protocols and enhance third party risk management, Podnar said.
"They should be thinking about testing and doing desktop exercises on what happens if security is breached so they can understand how the entire ecosystem works," she said.
Podnar said an organization is only as strong as its weakest link, as evidenced by the AMCA breach.
"In this instance, your weakest link was somebody outside of your organization who compromised you and did a number on a lot of data," she said.
Do research, due diligence before contracting with a third party
Even for smaller provider organizations struggling to maintain security in their own environments, Podnar said there are still ways to vet a third-party vendor before working with them.
She recommended they ask about their security controls and risk assessment plan. She also suggested they press third parties on whether they follow the NIST Cybersecurity Framework controls and whether they subscribe to the Center for Internet Security controls, both of which provide cybersecurity best practices and recommendations.
Podnar said the most critical steps a healthcare CIO can take is to research third-party vendors and ask basic questions. She stressed that they pay attention to companies' responses and whether they provide direct answers on how they will handle security and security incidents.
"You can do some basic homework to understand are they ethical, do they seem to care about people, are they doing what seems to be the right thing, and do they even know what they are doing," she said.
Especially for small organizations, having insurance -- and making sure third-party service providers have insurance -- is also crucial.