- With the recent spike in healthcare data breaches, it is pertinent that healthcare organizations implement and understand healthcare data security positions of third-party vendors, but most companies claim that they do not have the resources to monitor the security framework of these partners.
A recent survey by the Ponemon Institute showed that 60 percent of participants reported that their companies do not check the security and privacy practices of vendors even though they share confidential and sensitive information.
“Despite the number of publicized data breaches throughout the US, there continues to be a significant lack of confidence and understanding within companies as to whether their security posture is sufficient to respond to a data breach or cyberattack,” Chairman and Founder of the Ponemon Institute Dr. Larry Ponemon said.
The study set out to research the challenges that third-party vendors across industries experience in protecting confidential information, like PHI, shared with the companies. Researchers found that a major difficulty is detecting and mitigating risks related to business associates because organizations do not have the resources or procedures to check vendor security measures.
Healthcare organizations rely on business associates to manage key aspects of their business, such as EHR systems, medical billing, and data analytics. Business associates that access PHI are required to comply with HIPAA regulations.
However, the number of cybersecurity incidents involving third parties is increasing, according to the study. Approximately 73 percent of respondents saw an increase, while 65 percent also said they find it difficult to manage cybersecurity events involving vendors.
Researchers found that half of survey participants confirmed their organization experienced a data breach caused by a vendor. Sixteen percent of respondents were not certain.
The survey revealed that companies are losing confidence in the security platforms of business associates. Even if a security event happened more than one third of companies do not believe third-party vendors would notify them.
“The inability of so many companies to confirm whether third parties have had a data breach or cyberattack involving sensitive and confidential information should be a wake-up call for businesses across all industries,” Treliant Risk Advisors Chief Business Officer Susanna Tisa said in a statement. “To mitigate this risk, companies should compile a comprehensive inventory of and conduct data and privacy risk assessments for all third-party vendors; however, we found that few companies represented in this research, in particular those outside the regulated banking sector, have done so.”
With healthcare data breaches on the rise and the prevalence of recent ransomware attacks, it is important that healthcare providers know their healthcare data security positions and enforce vendor risk management policies.
Despite the lack of trust in vendors, 41 percent of participants still shared sensitive data with third parties even though they claimed their vendor’s safeguards and security positions were insufficient to effectively respond to a data breach.
An estimated 58 percent of respondents could not even determine if vendor safeguards and security positions were sufficient enough to prevent a data breach.
The study showed that most companies have inadequate risk mitigation strategies when it comes to business associates. Researchers found that only 31 percent of participants stated that their vendor risk management program was highly effective.
Some companies did not have comprehensive vendor risk frameworks. Only 38 percent of respondents said their organizations collect and track the effectiveness of their vendor risk management program and less than half of the participants had a vendor risk management committee.
Researchers suggested that businesses strengthen their governance practices related to vendor security management.
Companies also need to do more than depend on business associate agreements to ensure that consumer information is being protected. Business should perform audits and assessments with vendors.
“The type of risk we are seeing now is changing in response to our evolving data-driven economy. The risk to strategic data assets extends beyond any single third-party but rather to the web of relationships that comprise the data ecosystem,” BucklySandler Managing Director Rena Mears said. “Companies must understand managing data risk is not merely a compliance and contract issue but a fundamental strategic challenge in which personal data, intellectual property and transactional records must be protected from third, fourth and nth-party risk.”