Why 3rd Party Vendor Controls are Critical for Healthcare Providers

In early June 2019, Quest Diagnostics and LabCorp—two of the largest diagnostic testing companies in the country—filed documents with the federal government. In them, they revealed a third party collections company they used had a security breach. The breach at American Medical Collection Agency (ACMA) potentially exposed the personal and banking information of 20 million customers. Lawsuits were filed against the testing companies, totaling over tens of millions of dollars. The federal government is investigating the companies and they both face a reduced credit score. ACMA has filed for bankruptcy protections as a result of the litigation.

According to reports, the security breach began in August 2018 and was not reported until March 2019. Unfortunately, it is all too common for a breach to go undetected for months. It takes, on average, 266 days for a breach to be identified and contained. The ACMA breach indicates a larger challenge facing industries today: the consequences of violations from third-party vendors.

It takes an average of 266 days for a security breach to be identified and contained.

Data is Valuable

Data theft is a lucrative business, and the price tag to purchase stolen information is smaller than you might think. A medical record can be purchased for around five dollars. Stolen data is sold on the dark web and through difficult to trace transactions like bitcoin. Healthcare is frequently targeted due to the massive amount of patient data collected.

Fragmentation Affects Efficiency

As more healthcare facilities turn to third party vendors to handle invoicing, payment processing, and collections, these relationships expose the potential for risk. The fragmentation of service providers may lead to inconsistencies throughout the organization. When individual departments or auxiliary providers maintain their own contracted services through third parties, the risk of oversight error increases.

The cost of a HIPPA violation where patient data is exposed can total $50,000 per patient record.

Size Matters

Most small and rural hospitals do not have the resources to overcome the impacts of a data breach, and the result could be catastrophic. The cost of a HIPPA violation where patient data is exposed can total $50,000 per patient record. These facilities are often forced to close, affecting the healthcare options of the community. Smaller institutions are often more vulnerable to cyber attacks because they are less able to allocate resources to data protection.

Losses Go Beyond Monetary

In addition to the financial losses, there is an intangible but just as important consequence: damage to reputations. Information moves quickly across social media channels and on the internet. A serious breach results in degraded customer loyalty, poor reviews, and loss of public trust. Individuals may find other providers or submit complaints. This can be an insurmountable hurdle to recover from, and some organizations do not survive it.

How to Better Manage Healthcare Data

Know Your Data Sources

How can a healthcare facility monitor this important data? It begins with an understanding of how data is collected and stored. Since data can come from multiple sources, a detailed, ongoing review process must be conducted. Data is measured in the three V’s: volume, velocity, and variety. It is essential to use this measurement to analyze the data flowing both in and out of the organization. Automating privacy controls for patient information, especially when it is accessed by party vendors, allows organizations to react quickly to threats and protect sensitive assets. Risk mitigation efforts must be synchronized across the whole organization, not just in departments, to prevent silos.

Review Third Party Agreements

The use of third parties to manage operations will continue as the connections between healthcare and technology become commonplace. Additionally, patients want access to their digital records and the ease of online payment options. All third party agreements should be reviewed regularly to ensure compliance with privacy standards. Basic security practices such as two-factor authentication, removable device management, and data encryption are a critical part of the risk framework. Remember, any part of the supply chain can be breached, which could affect your organization. Know how data is exchanged, stored, and managed between these entities. Use our Vendor Vetting checklist to review your third-party vendor relationships.

Build a Coalition of Trust

More than ever, patients are becoming informed healthcare consumers. They rely on providers to safeguard their personal data in the face of growing security concerns. A Forrester report found the number one concern of IT security leaders was damage to patient trust as a result of a data security failure.  Healthcare technologies should be secure, easily accessible by the end-user, and not interfere with the provider-patient relationship. Patients entrust sensitive data not only to their provider, but the entire healthcare ecosystem. Knowing who and what is shared with third-party vendors and other outside entities helps patients make informed decisions. Providing a transparent, patient-centered approach to data protection fosters trust, which results in better patient outcomes overall.

The number one concern of IT security leaders is damage to patient trust after a data security failure.

Leave a Reply

Your email address will not be published. Required fields are marked *