Third-party vendors still a big security concern for healthcare providers

Half of all organizations polled for a new Ponemon survey said they'd experienced a data breach caused by a vendor business associate.
By Jessica Davis
02:14 PM
Share

With the recent surge in ransomware attacks, cybersecurity is a top priority for healthcare organizations across the nation. But even if providers have top security measures in place, there's another component to consider: the vulnerabilities of third- and fourth-party vendors.

Almost three-quarters of businesses said cybersecurity incidents related to vendors are increasing, according to a recent Ponemon Institute survey, requested by BuckleySander and Treliant Risk Advisors.

About half of the respondents said their organization experienced a data breach caused by a vendor, but 16 percent of respondents were unsure if a breach had occurred. And another 65 percent said managing cybersecurity incidents involving vendors is difficult.

"The type of risk we're seeing now is changing in response to our evolving data-driven economy," Rena Mears, managing director of BuckleySandler, said in a statement. "The risk to strategic data assets extends beyond any single third-party, but rather to the web of relationships that comprise the data ecosystem."

[Also: Lack of business associate agreement, risk analysis to cost Minnesota health system $1.55 M in HIPAA fines]

More than a third of businesses don't believe their third-party vendors would notify them if a data breach occurred. And a staggering 73 percent of respondents don't believe a fourth-party vendor would contact them regarding a data breach. A fourth-party vendor is often hired by the third-party vendor.

Survey respondents admitted their organizations shared sensitive data with third-parties that may have poor security policies in place. More than half said they weren't able to determine the safeguards in place by their vendors to prevent a data breach and 60 percent of respondents said their organizations don’t monitor their vendors’ security and privacy practices. Only 41 percent said their vendors' safeguards were sufficient.

"The inability of so many companies to confirm whether third-parties have had a data breach or cyberattack involving sensitive and confidential information should be a wake-up call for businesses across all industries," said Susanna Tisa, chief business officer of Treliant Risk Advisors, in a statement.

"To mitigate this risk, companies should compile a comprehensive inventory of and conduct data and privacy risk assessments for all third-party vendors," Tisa added. "However, we found few companies represented in this research, in particular those outside the regulated banking sector, have done so."

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn