- The healthcare sector has been a primary target of hackers for more than a year, and the attacks continue to increase in sophistication. While many providers have adjusted their security posture in attempt to shore up some of these threats, vendor management is a vulnerability often mishandled.
In fact, to Jane Harper, Director of Privacy and Security for the Henry Ford Health System, it’s an emerging risk that can wind up being a disaster if not properly managed. The problem is that there’s a lot of data shared between vendors and business associates, but often providers don’t know what’s being shared — and with whom.
Consider some of the bigger health data breaches of the last few years caused by vendor error. For example, a medical transcription vendor left a portion of a database exposed to the internet with data from at least 2,300 providers.
In another transcriptionist case, an Orlando Orthopaedic Center vendor misconfigured access to a database during a software upgrade — and waited six months to report. The breach serves as a prime example for why vendor management is crucial, especially when it comes to contractual obligations.
“The golden days, several years ago, when people thought of vendor onboarding as similar to doing a transaction are over,” said Pam Hepp, a healthcare attorney and shareholder of Buchanan, Ingersoll and Rooney.
“Originally, [healthcare organizations] looked at policies as they touched the surface: They may have asked about whether the vendor had a breach, but they didn’t do the deep dive on security,” she added. “And that’s assuming they knew the number of vendors they had.”
As the Office for Civil Rights has ramped up enforcement efforts, the point is being driven home that vendors are “just one more entry point into an organization,” Hepp explained.
Building a Vendor Relationship
One of the biggest challenges with vendor management comes with both inventory and risk assessment. For Hepp, organizations should approach third-party risk by treating vendor risk as they would their own organization.
To start, organizations need to perform a risk assessment around the vendor’s IT environment, along with the policies and procedures in place from a privacy and security standpoint, explained Hepp. The frequency will be determined by the size of the organization.
Larger organizations will have the resources to perform annual risk assessments on their vendors, which will correlate with the assessment performed on their own systems, Hepp said.
However, inventory may just be the most critical risk area — but also the hardest to protect. Many organizations don’t know just how much data is on their system, let along who has access. So Hepp explained that having an actual inventory of the access and vendor programs is critical.
“A number of health systems struggle with knowing what they have,” said Hepp. “And there are a number of vendors that will interact with physical systems and others don’t now if they have the same sort of privacy and security privileges when they onboard a vendor.”
“That’s been a struggle: How to get their arms around with what [data] they do have and vendor relationships,” she added.
Hepp also noted there are some software programs now with AI and machine learning components that can determine what’s on a system. Some of Hepp’s clients are using that around the inventory side of management to help monitor activity with those devices and even vendor products – just like they would for their own organization.
“There are some software tools to get their arms on what vendors are out there,” she added. “It’s becoming easier in that regard, from a software perspective to determine what’s on the system and those vendors.”
And organizations “need to take steps to limit access on those systems, just like with EHR access: It needs to be processed on accessing those vendor portals,” she added.
“Pen testing, patch management and updates have been an issue, as well, as some vendors want to control that,” said Hepp. Organizations should push to the do the upgrades and patch management testing with vendor involvement.
As ransomware attacks have increased, “proper patch management is absolutely critical in the vendor space,” she explained.
“Covered entities should be requesting copies of the vendor’s risk assessments and evidence that they have implemented a risk management plan (either in addition to, or perhaps for smaller organizations in lieu of conducting their own risk assessment of the vendor),” said Hepp.
Vendor Management Checklist
Harper provided a third-party management checklist to simplify just how to build a secure vendor relationship.
- Include the appropriate internal stakeholders
- Monitor post contract signature not just for SLA metrics but security, privacy and general risk management considerations
- Make sure any insurable risk related to the relationship are covered in insurance policies
- Ensure the appropriate contracts are in place before data sharing occurs
- In addition to any regulatory mandated requirements, ensure the contracting language and process includes:
- Clearly defined service to be provided
- Data protection considerations
- Data privacy considerations
- Data ownership consideration
- De-identification of data if applicable
- Data destruction, return and archival considerations
- Right to audit
- Appropriate use
- Breach notification and remediation considerations
- Credit monitoring and reporting obligations in case of breach
Prior to HHS extending HITECH obligations directly to business associates, vendor contracts were stiff and there was little leverage. Hepp explained that prior to HIPAA, when organizations had to consider business associate agreements, it was merely to fill the contractual obligations for HIPAA compliance.
The HITECH changes — which went into effect around 2009 — made it so that business associates are now subject to enforcement under OCR. In fact, OCR conducted Phase II audits last year with a focus on business associates, which included conducting risk assessments and having in place a risk management plan. Timeliness of notice of security incidents and breaches to covered entities was also included.
“That leveled the playing field with negotiating,” said Hepp. “Originally, vendors wouldn’t negotiated with agreements, wanting to insist on limitation of liability and not wanting to have responsibility in this area. But we’ve seen a shift because now they’re directly responsible from an OCR enforcement standpoint.”
For Hepp, the critical contractual obligations lie with the limitation of liability: this should not exist in the vendor-healthcare provider arrangement. This means that if there is a breach, those fines can be enforced on the liable party — vendor or the covered entity.
The costs of the breach add up, from the fines, breach notifications, risk assessments, credit monitoring and the like. If an organization allows a liability limitation with a vendor, it could be costly — especially when consider remediation efforts, fines and litigation.
“Organizations will need to negotiate,” said Hepp. “There also needs to be a strong awareness around compliance — and again keeping in mind to do due diligence on how breach notification is handled. Typically, the providers are going to want to control notice to their own patients.”
Hepp also noted that it’s critical that vendors have cyber insurance to protect liability. And indemnification itself, with respect to a breach, must also be included in the contract.
As for the red flags to avoid, Hepp said any hint to a limitation of liability and an unwillingness to indemnify are the biggest. Another would be that they don’t have cyber insurance.
“Obviously, those are business decisions,” she said. “They are legal provisions, and an organization will need to decide on whether they still want to do business. But at the end of the day, it becomes a business decision.”
“If [the vendor] is not willing to stand behind their own negligence or breaches/incident that would be a red flag,” Hepp added. “They need to stand behind their own performance.”