A Broader Lens Into Vendor Risk Management

Posted by Ken Reiher

Gerry Blass, President & CEO, ComplyAssistant

Robert Babin, CISA, CISM, CPM, CPD, Director of Strategic Initiatives and Chief Information Security Officer, Saint Peter’s Healthcare System

In today’s global economy and highly connected system of networks, covered entities and their business associates are susceptible to any attacker from any country. With a seemingly infinite number of digital pathways right to the doorsteps of healthcare providers, we need to work even harder to protect information that could be exposed online. That includes vendor risk management—how we interact with third-party vendors and business associates who are obligated to safeguard our data.

Before the digital evolution of healthcare, partnerships with vendors and business associates were based on a handshake. In 2018, an astounding 20% of healthcare data breaches occurred via third-party vendors. And though we have complicated business associate agreements (BAAs), which are in part meant to hold third-party vendors accountable for how they use, store and share protected information, even a business associate agreement is simply a piece of paper.

So, how do we start to think more broadly about vendor risk management? How do we perform the due diligence needed and stay on top of vendors to make sure they comply with HIPAA and with our own security policies and procedures? What types of data need to be protected? What are the types of business partners with whom you should have business associate agreements?

What data needs to be protected?

Though in healthcare we tend to focus on protected health information (PHI) under the HIPAA Privacy and Security Rules, we should aim for a broader definition of protected data. In practice healthcare providers need to have policies and procedures to protect any type of data that is critical to the operations of your business, which could include any of the following:

  • Protected Health Information (PHI) – the term given to health data created, received, stored or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment for healthcare services. PHI includes all individually identifiable health information, including demographic data, medical histories, test results, insurance information and other information used to identify a patient or provide healthcare services or healthcare coverage.
  • Personally Identifiable Information (PII) – refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information, that is linked or linkable to a specific individual.
  • Payment Card Industry Data Security Standard (PCI DSS) – a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.
  • Intellectual Property (IP) – any product of the human intellect that the law protects from unauthorized use by others, traditionally comprised of four categories including patents, copyrights, trademarks, and trade secrets.
  • Business Intelligence (BI) – leverages software and services to transform data into actionable insights that inform an organization’s strategic and tactical business decisions; insights may be presented in the form of reports, summaries, dashboards, graphs, charts and maps.

Who is a business partner?

When planning for vendor risk management, healthcare providers should widen their perception on who should be considered a business partner, and who, therefore should need to sign a business associate agreement and be required to performs to audits and assessments that will protect your organization’s data. Consider including any business partner on this list as part of your vendor risk management strategy:

  • Vendors – this could include software vendors, medical device vendors and the like
  • Contractors – this includes both staff that are contracted directly with your organization, along with contractors employed by third parties
  • Third-party organizations – includes any outside organization with access to protected information about your business
  • Covered entities – this includes other providers, payers, exchanges or similar who will be able to access, store or transmit data about your patients
  • Downstream business associates – includes BAs used in a downstream capacity by another business associate with whom your organization has a direct contract

So, for healthcare providers, we recommend putting a new lens on your vendor risk management strategy. Expand your view of what is considered protected data. Expand your list of business partners. And make sure your own organization’s policies and procedures are updated to reflect additional considerations beyond PHI and HIPAA.

Special thank you to Bob Babin, CISA, CISM, CPM, CPD, Director of Strategic Initiatives and Chief Information Security Officer at Saint Peter’s Healthcare System in New Brunswick, NJ for his contributions to this content.

More vendor risk management resources from ComplyAssistant: