Our client, a large hospital system was seriously underperforming in its assessment of 3rd Party security risk. As with most large health care entities, it has a massive volume and velocity of data flows of electronic protected health information (ePHI) between care providers, payers, and vendors used to providing services to patients. This, obviously, engenders significant security and privacy risks. While Business Associate Agreements (BAAs) are standard and required, they do not accurately reflect the security posture of an organization. Increasingly Corporate boards are very sensitive to data loss caused by 3rd party inadequacies. The large Target breach of 2017 was directly attributable to poor 3rd party oversight. .
Many of the entries on the “Wall of Shame” at CMS (the web page that lists mass data breaches) are there not due to their own actions, but those of a third party. Even the smallest healthcare company is likely to send its data out to many business associates, and to offer system access to many other third parties. Either of these options greatly increases the risk to that company. A Business Associate’s data breach rebounds to the responsibility of the Covered Entity, per HIPAA. And most organizations have excellent perimeter controls, but are far more vulnerable to an authenticated user, which means a compromised account of an external user will leave its partners very vulnerable to the same attacker. Managing the risks from both these types of third parties – Business Associates, who receive data, and External Users, who get system access – is essential to securing your own information.