A recent cybersecurity analysis revealed the number of healthcare records exposed in data breaches nearly tripled from 5.5 million in 2017 to more than 15 million in 2018. While only 8% of incidents involved third-party vendors of hospitals, practices, or insurers, it is vital that outside partners value your cybersecurity as much as you do.
An incident that made headlines earlier this year reminds us that even relationships perceived as the least vulnerable are susceptible to breach. In July 2018, employees of a transportation vendor for an insurance marketplace plan administrator in Indiana were lured into responding to phishing emails – potentially exposing the data of 31,000 patients. The compromised details included names, insurance ID numbers, addresses, birth dates, and medical conditions.
You might be thinking, “Brian, as the CPO of a quality data solutions provider that works with more than 500 hospital partners, why would you admit vendors are at risk too?” Well, if you have spoken with our team about cybersecurity, you know we are not afraid to broach the subject and, in fact, encourage it. And, if you saw our guest post in Becker’s Hospital Review a little while back, then it’s no surprise that we openly stress the importance of choosing vendors that are hypervigilant about cybersecurity.
Let’s face it, if a transportation service breach can expose patient data, then healthcare organizations are only kidding themselves if they don’t believe that virtually every partnership poses a cybersecurity risk.
As we’re reminded that healthcare is a prime target for breaches and that electronic data protection requires an ongoing, concerted approach, it is important to understand how to evaluate whether a vendor takes cybersecurity seriously. Following are our latest tips for choosing a cybersecure vendor:
1. Ask about cyber-liability insurance. Businesses involved in sharing and storing sensitive information over computer networks should have cyber-liability coverage. Policies vary, but they should generally cover a company’s liability for a breach of customer data, such as personal health information. Coverage typically includes recovering compromised data, notifying clients about a breach, and restoring personal identities for affected individuals. More about cyber-liability insurance.
2. Address cybersecurity head on. No company should shy away from this topic. For example, at Q-Centrix, we aim for a level of transparency that allows our clients to rigorously assess our cybersecurity standards and practices. Cybersecurity should be a discussion focal point before any agreement is signed and then be continued as part of the ongoing vendor-client dialogue. One way hospitals can approach this is to form an information security taskforce that vets all vendors and reviews their cybersecurity practices on an annual or semi-annual basis.
3. Confirm the vendor meets industry “gold standards.” No company should be left in the virtual dark about their cybersecurity vulnerabilities. Best practices include regular vulnerability scans and penetration testing. A vulnerability scan uses a computer program to detect weak points in computer networks and equipment, such as identifying breach-susceptible software code. Code manipulated by hackers can cause major disruptions, including the unmasking of encrypted information. Penetration testing takes things a step further to demonstrate how effective a company’s existing security controls are in detecting and responding to an attack. Companies should be able to tell clients if they recently underwent these assessments.
Also, ask vendors if they have a security incident response plan (SIRP). When it comes to cybersecurity, the question is not if an incident will happen but when – and whether the company is ready to react. The main objective of a SIRP is to minimize the severity of cybersecurity incidents. These plans generally consist of a series of steps that include identifying the type and seriousness of an incident, stopping it, determining who has been affected, notifying the appropriate individuals and agencies, and making changes to prevent similar incidents from happening again. Be sure to ask vendors if they have a formalized SIRP. If the answer is no or they can’t clearly describe their plan, that’s a red flag.
4. Ask about the vendor’s partners. You may be confident your partner’s processes are secure, but what about the vendor’s vendors? The amount of work that is outsourced, and to who, may impact cybersecurity. Companies that use their own staff, where possible, generally have more control over how individuals access sensitive information. For example, at Q-Centrix, we have a client services team of more than 800 quality experts who we can verify are handling electronic medical record data in accordance with our security standards. However, for email and cloud data storage, we need to rely on outside support. For this, we turn to reputable names in the industry that have strong track records of keeping information safe.
5. Find out if the vendor’s team is trained. While vendors using their own staff may have more control over their teams, the Indiana plan administrator case shows staff can be vulnerable to hacks too. Vendors that are serious about cybersecurity actively work to transform their teams from being a security vulnerability to an effective line of defense. There are many cybersecurity awareness training providers that specialize in empowering employees to recognize and safely react to threats. This may include knowledge assessments and simulated phishing attacks that use email templates mimicking those used in real attack attempts.
At Q-Centrix, we have made this type of training a regular part of our ongoing employee learning program. With the rate of phishing attacks rapidly increasing and costing organizations that fall victim to them an average of $1.6 million, the choice between going with a vendor that provides its team cybersecurity awareness training and one that doesn’t should be an easy one.
6. Basics matter. Vendors whose services are driven by multiple users who view, add, or edit sensitive information should incorporate the latest login security controls – so find out if yours do. These details can mean the difference between business as usual or the worst day … month … or year you’ll ever have. Two-factor authentication is becoming the norm for logging into online and other digital interfaces. It requires anyone signing in to retrieve and enter an additional code delivered via email, text message or phone call. It’s similar to what credit card companies and email providers, such as Google, are already using to improve security.
Looking at the bigger picture, choosing outside partners strongly committed to cybersecurity is one part of your organization’s broader cybersecurity strategy, but it is a critical one. Hackers look for the most vulnerable points to penetrate security, so minimize their opportunity by factoring vendors into your approach now.