Earlier this year, Rush University Health System announced that a claims-processing vendor shared a file containing patient information with another, unauthorized third party. As a result, the personal information of 45,000 patient records was exposed. The health system, which oversees 30 locations in the greater Chicago area, is not alone in the ongoing trend of data security problems at hospitals across the nation.
With healthcare data breaches involving third-party vendors on the rise, how can the healthcare industry avoid third-party data failures? Keep reading for three ways that healthcare organizations can secure their data and reduce the risk of third-party failures.
1. Identify mission-critical vendors
For healthcare organizations, a transparent view of all vendors is key. This means taking the time to analyze all third-party vendors you conduct business with and ranking them by whether the vendor is critical or non-critical to business operations. When determining mission-critical vendors, consider the following:
- What type of data is the vendor handling?
- How does the vendor handle transactions?
- Would the sudden loss of this vendor cause significant disruption to the organization?
Most hospitals conduct business with multiple vendors at any given time. Reviewing the hospital’s third-party network and identifying mission-critical vendors may seem like a tedious task, but it’s an essential first step toward a clear picture of the overall risk profile.
One other thing to keep in mind: It’s not a matter of if you’ll be breached, but rather when you’ll be breached. By conducting a deep dive into all vendors and identifying those that are mission-critical, healthcare organizations will be prepared with a better understanding of all potential risk from their third-party vendors.
2. Establish a single source of truth
Managing portfolios of third-party vendors presents a significant challenge to healthcare organizations. As hospital employees spend more time on paperwork and administrative tasks rather than patient care, tracking yet another task can be burdensome. This is especially true if your hospital organization is reliant on emails and spreadsheets, opening the door for errors and missed signals of a potential breach.
Instead of a spreadsheet-based approach to tackling third-party risk, healthcare organizations should consider tech solutions that house all third-party relationships, providing a centralized repository of vendors, assessments, risks, and mitigations. When reviewing a solution for third-party risk management, consider the following:
- Does the solution allow you to assign and track mitigations and remediations?
- Do you have the ability to customize workflows to match your approval processes?
- Can you establish tiers of third-party vendors based on risk profile or service offering?
- If you add more vendors or grow as a healthcare organization, can the solution scale with your growth?
Finding a solution that can grow with you over time—while still providing a transparent view into all third-party vendors—is essential to protecting your healthcare organization’s data.
3. Conduct ongoing risk mitigation
With so much data at stake, it’s important that healthcare organizations take the time to establish ongoing risk mitigation practices. According to a recent survey, healthcare organizations take an average of 55 days to identify a data breach. What if we could lower that number?
There are solutions that help organizations establish an automated, ongoing process for monitoring new and existing risk activity. By having this type of monitor in place, healthcare organizations can be alerted to potential risk. This saves professionals time and allows them to focus on other areas of the organization.
With the right solution in place, healthcare organizations can avoid situations like the one that Rush University Health System experienced. By keeping tabs on the activities of third-party vendors, companies can ensure that every stakeholder is following proper procedure. Ultimately, healthcare organizations should adopt a risk-based approach to strengthen third-party risk management programs.
Matt Kunkel is the CEO at LogicGate.