Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Healthcare Vendor Data Breaches: 3 Steps to Mitigate Business Associate Risk

With an ever-growing number of healthcare vendor data breaches, use this guidance to be more proactive in reducing the likelihood and impact of an incident.
Scott Lang
VP, Product Marketing
July 18, 2022
Blog healthcare vendor breaches 0722

Professional Finance Company (PFC), an accounts receivable management firm, notified healthcare providers in May that data on 1.9 million of their patients was exposed in a February ransomware attack. According to PFC, protected health information (PHI) and personally identifiable information (PII) compromised in the attack could have included names, contact information, accounts receivable balances, account payment information, dates of birth, Social Security numbers, health insurance information, and medical treatments.

Yet, the PFC breach is only the third largest healthcare business associate security event reported so far in 2022, with the Shields Health Care Group incident affecting 2 million patients, and the Eye Care Leaders breach impacting more than 2.9 million patients (and growing).

Considering their increasing scale and impact, how can healthcare security and risk management professionals mitigate the impact of third-party breaches like these?

1. Join a Community of Healthcare Providers Sharing Business Associate Risk Intelligence

Shared intelligence networks are libraries of on-demand vendor risk profiles that can be “checked out” when you need to assess a business associate. Risk profiles are based on industry-standard content and are automatically updated on a regular basis with continuous cyber, business, financial, and reputational insights added for context and to fill gaps between annual assessments.

However, the value of a shared intelligence network extends beyond simply leveraging already-completed risk profiles to assess a business associate’s risk. Networks offer an added benefit of community analytics – visualizing broader risk trends across an industry using data from multiple vendors in the network.

For example, if a top-ranked risk among vendors in a network is a weak password management policy, you can focus your risk management efforts on business associate password hygiene to proactively reduce the likelihood that passwords could be exploited by a hacker to gain access to your data managed by the business associate. You can then validate the business associate’s password management controls by using integrated continuous cyber monitoring insights to determine whether their passwords are for sale on the Dark Web.

Prevalent manages the Healthcare Vendor Network (HVN), the Health Information Sharing and Analysis Center’s (H-ISAC) exclusive solution for shared risk assessments for third parties based on the industry standard H-ISAC security, data privacy, and risk assessment. Hundreds of companies rely on thousands of completed vendor risk profiles in the HVN every day to manage their business associate risk.

The HIPAA Third-Party Compliance Checklist

Download this helpful checklist for prescriptive guidance on assessing business associate security controls per HIPAA requirements.

Read Now
Feature hipaa compliance checklist 1021

2. Develop and Test a Third-Party Incident Response Plan

If a cybersecurity incident impacted a business associate, would you be able to quickly understand its implications to your business and activate an incident response plan? Time is of the essence in incident response, so being more proactive with a defined incident response plan will shorten the time to discover and mitigate potential business associate problems. A programmatic third-party incident response plan could include:

  • A centrally managed inventory of business associates, including their criticality to the organization
  • Pre-built business resilience, continuity and security assessments to gauge the impact of an incident
  • Scoring and weighting to help focus on the most important risks
  • Built-in recommendations to remediate potential vulnerabilities
  • Stakeholder-specific report to answer the inevitable board request

The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact of business associate cyber-security incidents by centrally managing third parties, automating event assessments, scoring identified risks, and accessing remediation guidance.

3. Simplify Compliance Reporting for the Inevitable Audit

HIPAA requires that healthcare organizations ensure that business associates and other third parties have the security and privacy controls in place to prevent unwanted access that impacts the confidentiality, integrity or available of PHI. To achieve this, companies should conduct thorough vendor risks assessments prior to the audit. Even if your organization does not experience a third-party security incident, auditors will eventually assess your business associate risk management program.

A third-party risk management solution can help simplify the process of collecting and analyzing business associate risks by:

  • Scoring the inherent risks that business associates bring to the relationship, helping to narrow down further due diligence efforts
  • Offering a dedicated questionnaire that maps answers to specific HIPAA requirements
  • Automatically raising and scoring risks from assessments to prioritize according to the organization’s risk tolerance
  • Including built-in remediation recommendations
  • Creating customized HIPAA reports for auditors and internal stakeholders that visualize percent compliance and notable areas for improvement

Be sure to download the HIPAA Compliance Checklist for a full analysis of how the Prevalent Third-Party Risk Management Platform can help simplify HIPAA audits.

Business associate security incidents are inevitable. However, you can be more proactive by sharing risk intelligence with peers, preparing an incident response plan, and getting ready for the inevitable audit. Request a demo today to learn how our H-ISAC endorsed solution can help.

Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo