Industry Voices—How healthcare organizations can avoid 3rd-party data failures

security
With so much data at stake, healthcare organizations take the time to establish ongoing risk mitigation practices to avoid third-party data breaches. (LuckyStep48/Getty Images)

Earlier this year, Rush University Health System announced that a claims-processing vendor shared a file containing patient information with another, unauthorized third party. As a result, the personal information of 45,000 patient records was exposed. The health system, which oversees 30 locations in the greater Chicago area, is not alone in the ongoing trend of data security problems at hospitals across the nation.

With healthcare data breaches involving third-party vendors on the rise, how can the healthcare industry avoid third-party data failures? Keep reading for three ways that healthcare organizations can secure their data and reduce the risk of third-party failures.

1. Identify mission-critical vendors

For healthcare organizations, a transparent view of all vendors is key. This means taking the time to analyze all third-party vendors you conduct business with and ranking them by whether the vendor is critical or non-critical to business operations. When determining mission-critical vendors, consider the following:

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.
  • What type of data is the vendor handling?
  • How does the vendor handle transactions?
  • Would the sudden loss of this vendor cause significant disruption to the organization?

Most hospitals conduct business with multiple vendors at any given time. Reviewing the hospital’s third-party network and identifying mission-critical vendors may seem like a tedious task, but it’s an essential first step toward a clear picture of the overall risk profile.

RELATED: Data of 45,000 Rush patients exposed due to third-party breach

One other thing to keep in mind: It’s not a matter of if you’ll be breached, but rather when you’ll be breached. By conducting a deep dive into all vendors and identifying those that are mission-critical, healthcare organizations will be prepared with a better understanding of all potential risk from their third-party vendors.

2. Establish a single source of truth

Managing portfolios of third-party vendors presents a significant challenge to healthcare organizations. As hospital employees spend more time on paperwork and administrative tasks rather than patient care, tracking yet another task can be burdensome. This is especially true if your hospital organization is reliant on emails and spreadsheets, opening the door for errors and missed signals of a potential breach.

Instead of a spreadsheet-based approach to tackling third-party risk, healthcare organizations should consider tech solutions that house all third-party relationships, providing a centralized repository of vendors, assessments, risks, and mitigations. When reviewing a solution for third-party risk management, consider the following:

  • Does the solution allow you to assign and track mitigations and remediations?
  • Do you have the ability to customize workflows to match your approval processes?
  • Can you establish tiers of third-party vendors based on risk profile or service offering?
  • If you add more vendors or grow as a healthcare organization, can the solution scale with your growth?

Finding a solution that can grow with you over time—while still providing a transparent view into all third-party vendors—is essential to protecting your healthcare organization’s data.

3. Conduct ongoing risk mitigation

With so much data at stake, it’s important that healthcare organizations take the time to establish ongoing risk mitigation practices. According to a recent survey, healthcare organizations take an average of 55 days to identify a data breach. What if we could lower that number?

RELATED: HHS security policies should focus on incentives, not penalties, health IT leaders say

There are solutions that help organizations establish an automated, ongoing process for monitoring new and existing risk activity. By having this type of monitor in place, healthcare organizations can be alerted to potential risk. This saves professionals time and allows them to focus on other areas of the organization.

With the right solution in place, healthcare organizations can avoid situations like the one that Rush University Health System experienced. By keeping tabs on the activities of third-party vendors, companies can ensure that every stakeholder is following proper procedure. Ultimately, healthcare organizations should adopt a risk-based approach to strengthen third-party risk management programs.

Matt Kunkel is the CEO at LogicGate.

Suggested Articles

CVS Health is joining forces with UPS to test several different applications for drone delivery, including sending products directly to patients.

A federal judge won't give the Trump administration more time to repay hospitals affected by $380 million in site-neutral payment cuts.

Cleveland Clinic and telehealth company American Well are launching a Cleveland-based joint venture telehealth company.