Vendor Errors become Provider Problems

OCR investigations reveal that healthcare organizations are lacking sufficient due diligence and internal compliance in measuring and monitoring third party vendors and business associates. Symantec’s 2019 Threat Report forecast includes a sharp 200% increase in supply chain attacks.

Providers and other healthcare organizations are finding themselves on the hook for their vendor’s security incidents and missteps affecting Patient Health Information. Security lapses, resulting from negligence or error, make the provider potentially liable and signal an inquiry into the provider’s own compliance with information privacy and security requirements.

The NIST Cybersecurity Framework (CSF) is recommended by HHS as guidance for proactive and corrective actions where deficiencies are identified regarding HIPAA compliance. The new NIST CSF v1.1 added the Supply Chain Category, which suggests a duty for healthcare organizations to assess the sufficiency of the vendor’s security program initially and on an ongoing basis.

Cyber Tygr’s assessment program uses the NIST CSF as a baseline to evaluate your existing vendor management program. Recommendations reflect the NIST CSF and HIPAA requirements, minimizing your organizations exposure to risk while maximizing your compliance levels.

Program assessment and reporting address key areas:

• Aggregate Data – central repository
• Inventory – stakeholders, contracts, policies & procedures
• Compliance – rules-based due diligence
• Stratify Tiers – criticality, type, size, impact
• Risk Assessment – frequency, method, reporting
• Control – vendor obligations and agreement considerations
• Indemnification - considerations
• Actions - Violation of HIPAA or the BAA
• Cybersecurity Insurance – vendor requirements and reallocation of risk
• Corrective Action Plan – systematic awareness and response to vendor’s security practice