Evaluating how seriously your vendors take cybersecurity

By Brian Foy | April 10, 2019

A recent analysis revealed a 25% year-over-year increase in healthcare data breaches and that 2020 was the third-worst year for breaches with nearly 29.3 million health care records exposed. These staggering statistics underscore how critical it is to ensure your outside partners value your cybersecurity as much as you do.

You might be thinking, “Brian, as the CPO of a quality data solutions provider that works with more than 1,200 hospital partners, why would you admit vendors are at risk too?” Well, if you have spoken with our team about cybersecurity, you know we are not afraid to broach the subject. In fact, Q-Centrix holds the highest data security recognition available today: SOC 2 + HITRUST. And, if you’ve read our Clinical Quality Data Privacy & Security guide, then you know it’s no surprise that we openly stress the importance of choosing vendors that are hypervigilant about cybersecurity.

Let’s face it, if a transportation service breach can expose patient data, then healthcare organizations are only kidding themselves if they don’t believe that virtually every partnership poses a cybersecurity risk.

As we’re reminded that healthcare is a prime target for breaches and that electronic data protection requires an ongoing, concerted approach, it is important to understand how to evaluate whether a vendor takes cybersecurity seriously. Following are our latest tips for choosing a cybersecure vendor:

  1. Ask about cyber-liability insurance. Businesses involved in sharing and storing sensitive information over computer networks should have cyber-liability coverage. Policies vary, but they should generally cover a company’s liability for a breach of customer data, such as personal health information. Coverage typically includes recovering compromised data, notifying clients about a breach, and restoring personal identities for affected individuals. More about cyber-liability insurance.
  1. Address cybersecurity head on.No company should shy away from this topic. For example, at Q-Centrix, we aim for a level of transparency that allows our clients to rigorously assess our cybersecurity standards and practices. Cybersecurity should be a discussion focal point before any agreement is signed and then be continued as part of the ongoing vendor-client dialogue. One way hospitals can approach this is to form an information security taskforce that vets all vendors and reviews their cybersecurity practices on an annual or semi-annual basis.
  1. Confirm the vendor meets industry “gold standards.” No company should be left in the virtual dark about its cybersecurity vulnerabilities. Best practices include regular vulnerability scans and penetration testing. A vulnerability scan uses a computer program to detect weak points in computer networks and equipment, such as identifying breach-susceptible software code. Code manipulated by hackers can cause major disruptions, including the unmasking of encrypted information. Penetration testing takes things a step further to demonstrate how effective a company’s existing security controls are in detecting and responding to an attack. Companies should be able to tell clients if they recently underwent these assessments.
    Also, ask vendors if they have a security incident response plan (SIRP). When it comes to cybersecurity, the question is not if an incident will happen but when – and whether the company is ready to react. The main objective of a SIRP is to minimize the severity of cybersecurity incidents. These plans generally consist of a series of steps that include identifying the type and seriousness of an incident, stopping it, determining who has been affected, notifying the appropriate individuals and agencies, and making changes to prevent similar incidents from happening again. Be sure to ask vendors if they have a formalized SIRP. If the answer is no or they can’t clearly describe their plan, that’s a red flag.
  1. Ask about the vendor’s partners. You may be confident your partner’s processes are secure, but what about the vendor’s vendors? The amount of work that is outsourced, and to who, may impact cybersecurity. Companies that use their own staff, where possible, generally have more control over how individuals access sensitive information. For example, at Q-Centrix, we have a client services team of more than 800 quality experts who we can verify are handling electronic medical record data in accordance with our security standards. However, for email and cloud data storage, we need to rely on outside support. For this, we turn to reputable names in the industry that have strong track records of keeping information safe. 
  1. Find out if the vendor’s team is trained. While vendors using their own staff may have more control over their teams, the Indiana plan administrator case shows staff can be vulnerable to hacks too. Vendors that are serious about cybersecurity actively work to transform their teams from being a security vulnerability to an effective line of defense. There are many cybersecurity awareness training providers that specialize in empowering employees to recognize and safely react to threats. This may include knowledge assessments and simulated phishing attacks that use email templates mimicking those used in real attack attempts.
    At Q-Centrix, we have made this type of training a regular part of our ongoing employee learning program. With the rate of phishing and ransomware attacks rapidly increasing—costing organizations that fall victim to them an average of $1.6 million—the choice between going with a vendor that provides its team cybersecurity awareness training and one that doesn’t should be an easy one.
  1. Basics matter. Vendors whose services are driven by multiple users who view, add, or edit sensitive information should incorporate the latest login security controls – so find out if yours do. These details can mean the difference between business as usual or the worst day … month … or year you’ll ever have. Two-factor authentication is becoming the norm for logging into online and other digital interfaces. It requires anyone signing in to retrieve and enter an additional code delivered via email, text message or phone call. It’s similar to what credit card companies and email providers, such as Google, are already using to improve security.

Looking at the bigger picture, choosing outside partners strongly committed to cybersecurity is one part of your organization’s broader cybersecurity strategy, but it is a critical one. Hackers look for the most vulnerable points to penetrate security, so minimize their opportunity by factoring vendors into your approach now.