Cybersecurity in Healthcare: Why Healthcare Providers Need to Vet Outsourced Vendors

As healthcare organizations outsource more products and services from various business associates and third-party vendors, it’s necessary to understand the different types of vendors and ways to identify and mitigate the cybersecurity risks that each vendor presents to your organization. Before you can introduce a product or service into your organization, you need to properly vet your vendors and ensure that their security posture meets your risk tolerance.

Outsourced Vendor Types and Cybersecurity Risk

Recent news of cyberattacks has highlighted the importance of vetting and monitoring your vendors’ security posture, or risk becoming the victim of a third-party data breach. For healthcare organizations, maintaining patient privacy is key.

However, when you trust your vendors to protect your sensitive data, you expose your organization to severe risks. The fact of the matter is that you don’t have control over your vendor’s security controls, so before you purchase a service or integrate a product into your organization, you need to perform a thorough vetting process to ensure that your vendor can defend your information.

Let’s look at the different types of vendors you outsource to and why the vetting process is so important:

Third Parties: As healthcare organizations continue to rely on third parties for key products and services, the vetting process is a must. You need to have a full picture of what your vendor’s controls are and how they will handle your information. How and why is your data accessed? Who will have access? These are all important questions to consider when vetting your third party’s security controls.

Managed Service Providers: When outsourcing products and services, many healthcare organizations turn to Managed Service Providers (MSPs), which are hired to perform a type of managed service on behalf of the organization. A few examples of MSPs include cloud service providers, patient portals, and laboratory or medical testing.

Fourth Parties: When dealing with your supply chain, you need to also consider your vendor’s vendors, also called fourth parties. It’s important to understand that your fourth parties may provide essential services for your vendors, which affects your organization as well. In certain cases, your fourth parties may even have contact with or access to your sensitive data, so they need to be held accountable and properly vetted for their security posture and compliance. For example, if PHI is involved, fourth parties are held accountable to HIPAA regulations.

Offshore Vendors: Offshore third parties include any vendors whose main operations or a branch of their operations are not located on U.S. soil. Depending on where the offshore provider is located, there may be additional risk in the relationship. Attackers are more active in certain countries, so it’s important to know at which offshore locations a vendor will maintain operations that access, transmit, or store your patient data. If it’s in a location heavily targeted by attackers, extra security controls will need to be implemented.

Independent Contractors: Independent contractors provide specific services or deliverables to your organization and can pose security risks when working remotely or without the proper security measures in place. In these instances, your organization may require the contractor to perform their work on a Virtual Desktop Infrastructure (VDI). A VDI ensures that all work performed is done on your network and stays on your network. However, these outsourced vendors need to undergo vendor vetting as well to ensure they maintain proper security controls for your independent contractors.

6 Key Areas of Security and Data Protection When Vetting a Vendor

Outsourced vendors can be key to the success of your organization and to the quality of care you provide your patients. However, a lack of security controls can present great risks to your organization, which you can identify during the vetting process.

Here are several key areas of security and data protection that need to be addressed when vetting an outsourced vendor:

1. Proof of controls
   When assessing your vendor, you need to look at what controls the vendor has in place to protect your data. Request proof of their security posture in the form of security certifications, independent audits, or completion of a vendor vetting questionnaire. It’s important to understand that you and your vendors have a shared responsibility when it comes to security and data protection. You will need to know exactly what your responsibilities are and that your information security team can fulfill these responsibilities. If your team has limited resources and expertise, you may want to consider outsourcing control assessments to industry experts, which will ensure that the proof of controls is verified and accurate.
2. Regulations and Compliance
   Verify that your vendors comply with the necessary regulations. Depending on the products or services, this may mean checking for compliance such as HIPAA, PCI DSS, or GDPR for EU patients. You should also add in provisions to vet any fourth parties, including subcontractors, who handle or access your sensitive data, as they’ll need to comply with regulations as well.
3. Remote Access to Network
   Your organization needs to verify how and why your vendors access and use your sensitive data. For third parties with remote access, the proper controls need to be implemented to ensure security. These controls include VPNs, multifactor authentication tools, VDIs, and a zero-trust model.
4. User Access to Applications or Devices
   What controls limit which employees and staff members have access to your organization’s data? Verify what user access controls are applied to the vendor’s applications and devices, such as whether they include multifactor authentication (MFA) and if a Zero Trust model is implemented.
5. Security Training and Awareness
   Ensure that your vendors effectively educate their staff on security awareness and best practices. This education should include phishing training to help staff identify and report any suspicious activity as well as best practice training multifactor authentication apps.
6. Backup and Recovery
   Your vendors need to provide full disclosure as to how your PHI and other sensitive data will be backed up and what encryption methods are used for backing up that data. You should confirm that the vendor performs regular recovery testing, to ensure that your data can be recovered from a backup source, and that backup locations comply with regulations such as GDPR.

Vetting your vendors is essential to identifying and managing cybersecurity risks that threaten your organization and your patients. Your team should work to gain as much transparency into your vendors’ security practices as possible before signing a contract and exposing your sensitive information to potential threats.