OCR investigations reveal that healthcare organizations are lacking sufficient due diligence and internal compliance in measuring and monitoring third party vendors and business associates. Symantec’s 2019 Threat Report forecast includes a sharp 200% increase in supply chain attacks.
Providers and other healthcare organizations are finding themselves on the hook for their vendor’s security incidents and missteps affecting Patient Health Information. Security lapses, resulting from negligence or error, make the provider potentially liable and signal an inquiry into the provider’s own compliance with information privacy and security requirements.
The NIST Cybersecurity Framework (CSF) is recommended by HHS as guidance for proactive and corrective actions where deficiencies are identified regarding HIPAA compliance. The new NIST CSF v1.1 added the Supply Chain Category, which suggests a duty for healthcare organizations to assess the sufficiency of the vendor’s security program initially and on an ongoing basis.
Cyber Tygr’s assessment program uses the NIST CSF as a baseline to evaluate your existing vendor management program. Recommendations reflect the NIST CSF and HIPAA requirements, minimizing your organizations exposure to risk while maximizing your compliance levels.