By Manolito Jones
In the ever-growing technology associated with hospitals and healthcare, no healthcare organization does it alone. More and more healthcare entities are enlisting the help of third parties to gain efficiencies and reduce their operating costs. Although outsourcing services can provide significant benefits, it can also introduce significant risks if information and data are not properly governed. In healthcare, it is more than money at risk; there is also protected health information (PHI).
Data breaches involving third parties that result in exposure or loss of PHI are on the rise. In fact, four of the top 10 breaches in the last few years have involved business associates. A recent example is the bill collection service provider, American Medical Collection Agency (AMCA). The breach potentially exposed the data of 20 million patients of Quest Diagnostics Inc., Laboratory Corporation of America Holdings, and OPKO Health, Inc.
The AMCA breach highlights the importance of third-party risk management when sharing patient information with external parties. It also reinforces the importance of risk management and due diligence. While outsourcing can provide many benefits, it can also make an organization more vulnerable if a third party isn’t taking the appropriate steps to protect PHI.
Many industries, especially healthcare, are requiring organizations to proactively identify potential risks and verify the compliance of business associates and their employees. To do this, today’s CISO must understand all people, processes and technologies involved in the handling and transfer of data, both internally and externally. That visibility starts with assessments. Conducting assessments on business associates’ PHI handling processes ensure proper policies, procedures and controls are in place and are followed. If an assessment reveals an issue, both companies can work together to fix the issue and reduce risk.
Another way healthcare can ensure all necessary patient data precautions are implemented and followed is by establishing ongoing third-party risk monitoring processes. Having these processes in place can help healthcare organizations identify potential risk. This saves professionals time and allows them to focus on other areas of the organization. CISOs can also monitor compliance gaps or new risks that require additional investigation.
Building a more effective third-party risk program helps healthcare organizations defend against data loss, system downtime, fines, public exposure and lawsuits. The key to this is to move beyond siloed data collection and manual processes by systematizing the interconnection of people, processes, assessments and documentation. Supporting this system with an integrated risk management (IRM) platform ensures that serious incidents and critical requirements don’t fall through the cracks.
Tracking, capturing and standardizing processes and behind-the-scenes activity helps to effectively communicate the depth of your organization’s security requirements to third parties. The ability to issue assessments, generate reports and visualize data means that progress and priorities can be shared more readily, fostering a culture of accountability. Knowing that the reports are developed from verifiable, common datasets builds trust and eases decision-making processes. This gives CISOs the ability to be more proactive in shaping the organization’s security strategy – with the same amount of staff.
In an increasingly digitized world characterized by layer upon layer of complexity, not having the right processes in place to address third-party risk can only lead to failure. No enterprise can afford to neglect operational efficiency, security threats or enterprise risk—but for the healthcare industry, the stakes are higher than brand and revenue building. Healthcare organizations can strengthen their approach to third-party risk and ensure business associates and other third parties are following proper procedures.
In the end, trust in healthcare and PHI protection hang in the balance, and if your organization isn’t prepared to assess third-party risk it can leave it open to the catastrophic aftermath of a data breach.
Manolito Jones is with Lockpath.