PracticeMax Ransomware Attack: How Healthcare Organizations Can Secure Their Supply Chains

3. Conduct business associate risk assessments continuously – not just during contract renewal

Assessing your vendors during onboarding is a great start. However, if you limit subsequent reassessments to fixed periods, such as contract renewals, then you will miss any risks that arise in the interim. There are a couple approaches to addressing these gaps:

1. A proactive approach, where full assessments are conducted more frequently
2. A reactive approach, where risk assessments are conducted in response to specific events

Each approach offers benefits and provides more regular insights to help you stay on top of BA risks. Proactive approaches combine a vendor-completed, controls-based assessment with an external analysis of threats from the Internet and dark web, as well as public and private sources of reputational, sanctions and financial information. Key to this approach is normalizing and correlating the data from all sources into a single risk register for central context, quantification, management, and remediation.

A reactive approach automates the triggering, issuing, and analysis of event-specific assessments (e.g., in response to the SolarWinds attack) based on the fourth-party relationships covered in Tip 2 above. Either way, you walk away with more regular insights for more informed, risk-based decision making regarding your supply chain.

4. Don’t ignore offboarding – risks can persist when vendor relationships end

Although the PracticeMax attack involved a current vendor, it’s important to ensure that you apply the same amount of rigor to the offboarding process as you do to the onboarding process. As you wind down your BA relationships, you should assess whether BAs are taking steps such as disposing of your patients’ PHI and assets according to regulatory requirements and industry best practices. Otherwise, you could end up with hefty fines to deal with (just ask Morgan Stanley). We’ve found that few companies address risk during the offboarding stage of their BA relationships. Look for solutions that enable you to schedule tasks to review contracts to ensure all obligations have been met, and issue customizable contract assessments to evaluate offboarding status.

5. Automate reporting for efficient mapping to HIPAA and other requirements

The HIPAA Security Rule requires covered entities to enter into a business associate agreement (BAA) with any third-party vendor that performs services on the entity’s behalf. The agreement holds BAs to the same HIPAA standards as the covered entity, ensuring that patient PHI is safe. If you’re dealing with dozens, hundreds, or even thousands of third parties, then the task to manually collect and analyze this information in a spreadsheet can quickly become overwhelming. Look for solutions that not only automate the collection and analysis of BA risk data, but also produce HIPAA-specific reporting showing compliance status and any weaknesses prior to engaging with your external auditors. It will greatly accelerate the risk mitigation process.

Next Steps for Healthcare Third-Party Risk Management

Taking a holistic approach to business associate security and protecting data at every step of the third-party lifecycle can help you mitigate risks and avoid becoming the next ransomware data breach victim. For more specific guidance on how Prevalent can help you meet HIPAA Security Rule business associate risk requirements, download The HIPAA Third-Party Compliance Checklist or contact us today for a strategy session.

Bonus: If you think a business associate has been the victim of a ransomware attack, use this free questionnaire to determine your exposure.