Professional Finance Company (PFC), an accounts receivable management firm, notified healthcare providers in May that data on 1.9 million of their patients was exposed in a February ransomware attack. According to PFC, protected health information (PHI) and personally identifiable information (PII) compromised in the attack could have included names, contact information, accounts receivable balances, account payment information, dates of birth, Social Security numbers, health insurance information, and medical treatments.
Yet, the PFC breach is only the third largest healthcare business associate security event reported so far in 2022, with the Shields Health Care Group incident affecting 2 million patients, and the Eye Care Leaders breach impacting more than 2.9 million patients (and growing).
Considering their increasing scale and impact, how can healthcare security and risk management professionals mitigate the impact of third-party breaches like these?
Shared intelligence networks are libraries of on-demand vendor risk profiles that can be “checked out” when you need to assess a business associate. Risk profiles are based on industry-standard content and are automatically updated on a regular basis with continuous cyber, business, financial, and reputational insights added for context and to fill gaps between annual assessments.
However, the value of a shared intelligence network extends beyond simply leveraging already-completed risk profiles to assess a business associate’s risk. Networks offer an added benefit of community analytics – visualizing broader risk trends across an industry using data from multiple vendors in the network.
For example, if a top-ranked risk among vendors in a network is a weak password management policy, you can focus your risk management efforts on business associate password hygiene to proactively reduce the likelihood that passwords could be exploited by a hacker to gain access to your data managed by the business associate. You can then validate the business associate’s password management controls by using integrated continuous cyber monitoring insights to determine whether their passwords are for sale on the Dark Web.
Prevalent manages the Healthcare Vendor Network (HVN), the Health Information Sharing and Analysis Center’s (H-ISAC) exclusive solution for shared risk assessments for third parties based on the industry standard H-ISAC security, data privacy, and risk assessment. Hundreds of companies rely on thousands of completed vendor risk profiles in the HVN every day to manage their business associate risk.
Are Your Vendors Adequately Securing ePHI?
Discover best practices for proactively identifying, managing and reducing business associate risks.
If a cybersecurity incident impacted a business associate, would you be able to quickly understand its implications to your business and activate an incident response plan? Time is of the essence in incident response, so being more proactive with a defined incident response plan will shorten the time to discover and mitigate potential business associate problems. A programmatic third-party incident response plan could include:
The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact of business associate cyber-security incidents by centrally managing third parties, automating event assessments, scoring identified risks, and accessing remediation guidance.
HIPAA requires that healthcare organizations ensure that business associates and other third parties have the security and privacy controls in place to prevent unwanted access that impacts the confidentiality, integrity or available of PHI. To achieve this, companies should conduct thorough vendor risks assessments prior to the audit. Even if your organization does not experience a third-party security incident, auditors will eventually assess your business associate risk management program.
A third-party risk management solution can help simplify the process of collecting and analyzing business associate risks by:
Be sure to download the HIPAA Compliance Checklist for a full analysis of how the Prevalent Third-Party Risk Management Platform can help simplify HIPAA audits.
Business associate security incidents are inevitable. However, you can be more proactive by sharing risk intelligence with peers, preparing an incident response plan, and getting ready for the inevitable audit. Request a demo today to learn how our H-ISAC endorsed solution can help.
The HIPAA Third-Party Compliance Checklist
Download this helpful checklist for prescriptive guidance on assessing business associate security controls per HIPAA requirements.
Effectively manage third-party cybersecurity incidents with a well-defined incident response plan.
09/24/2024
Why third-party breaches are on the rise, who is being affected, and what you can do...
09/20/2024
Use these 6 tips to improve your third-party breach response procedures.
09/17/2024