The Cloud Security Alliance has released guidelines advising how healthcare organizations can manage risks to data security posed by third party vendors. Business associates of HIPAA-regulated entities are often targeted by cyber criminals as a simple means to access data maintained by several healthcare organizations.
Employing a third party vendor can be very advantageous for a healthcare organization. The companies can provide services which can be crucial to the operations of the organization. However, employing a third party vendor can pose several risks to an organization’s HIPAA compliance, cybersecurity, reputation, privacy, operations, and finance. A successful breach at a managed service provider permits a malicious actor to use the MSP’s privileged access to client systems to infiltrate the systems of all the company’s clients. For a malicious actor, this is beneficial since it eliminates the need to individually breach each MSP client’s network.
Third party vendor security threats exist across all sectors. However, they are particularly common in the healthcare sector. According to the Cloud Security Alliance, this is a result of several contributing factors such as the lack of automation, widespread use of digital apps and medical devices, and the lack of fully implemented vendor management controls. Healthcare companies frequently utilize a large number of suppliers, therefore doing thorough risk assessments for each vendor and the implementation of essential vendor management controls may be a time-consuming and expensive process.
HIPAA-regulated entities can follow the guidance drafted by the Health Information Management Working Group which includes scenarios and details how risk management tools can be utilized to mitigate threats to cybersecurity in a cost-effective, timely manner. The guidelines offer a number of suggestions including implementing the NIST Cybersecurity Framework in order to monitor and evaluate third-party risk. The framework helps healthcare organizations to identify risks, evaluate what data is provided, assess vendors according to the degree of risk they pose, implement safeguards to secure critical services, and to construct a strategy for handling and limiting any security breaches.