Many of the entries on the “Wall of Shame” at CMS (the web page that lists mass data breaches) are there not due to their own actions, but those of a third party. Even the smallest healthcare company is likely to send its data out to many business associates, and to offer system access to many other third parties. Either of these options greatly increases the risk to that company. A Business Associate’s data breach rebounds to the responsibility of the Covered Entity, per HIPAA. And most organizations have excellent perimeter controls, but are far more vulnerable to an authenticated user, which means a compromised account of an external user will leave its partners very vulnerable to the same attacker. Managing the risks from both these types of third parties – Business Associates, who receive data, and External Users, who get system access – is essential to securing your own information.