Before a vendor gets in the door of Yale New Haven Health, it goes through a security design review. The IT team at the Connecticut health system administers a questionnaire designed to give it confidence that the vendor won’t be a gateway to a security incident. For example, does the vendor have industry security certifications? What about its access controls and encryption? Will the vendor use subcontractors? Does it store data offshore? If the IT team finds any weaknesses, Yale New Haven Health might hire the vendor anyway if it agrees to add a security feature—or maybe there’s nothing the vendor can do to allay concerns and the contract is scrapped.
The security design review is part of third-party risk management, an area that has rocketed to the top of the worry list as business associates (BAs) and other vendors and their subcontractors have put health systems in jeopardy with ransomware attacks and other breaches.
“You get an initial read on that vendor and their risk profile,” said Nancy Dunn, system privacy officer at Yale New Haven Health. “As long as you have an assessment process like this and are placing controls throughout the life cycle of the contract, you will be able to significantly reduce potential risk.”
Third-party risk wasn’t top of mind when HIPAA came on the scene in 1996, said attorney Igor Gorlach, with King & Spalding. At the time, the sense was that covered entities had the ability to control their data and tell BAs to create compliance frameworks around it. “What has happened over the years is many business associates have outgrown the covered entities,” Gorlach said.
His point: “Business associates have more influence and more control over what happens to data and there’s fewer options to try to shape how the information is used, what security is put in place and by whom. When something happens to one of the bigger vendors, it affects a lot of systems.”
Hospitals don’t always have the resources to stay on top of it. “The reason compliance officers find it difficult to sleep at night is because they don’t have as much control,” Gorlach said. “The risk of something happening is high. You can do everything required by law and by security practices and still be subject to a security incident. Once you’re there, it affects your operations directly.” Consequences include disruption of operations, ransomware payments, HHS Office for Civil Rights (OCR) penalties and potentially expensive litigation under state consumer protection laws, he said. There’s also reputational damage and the risk of patient harm if, for example, patients are diverted to other hospitals or their medical records are temporarily unavailable.