Hospitals and health systems are facing significant data security and privacy threats due to the lack of vetting of their third-party vendors, BankInfoSecurity reported Dec. 5.
The Department of Health and Human Services' HIPAA breach reporting website showed that half of the 10 largest healthcare-related data breaches reported this year were caused by vendors or business associates.
Security experts said this demonstrates the importance of vetting third-party providers and including cybersecurity standards in contracts and regular audits.
They also said healthcare providers need to ensure a layered approach to security to defend against attacks that come through third-party breaches.
"The reason business associate data breaches have skyrocketed is a simple numbers game," said Paul Hales, regulatory attorney of the Hales Law Group. "Criminals know that one successful business associate attack yields protected health information from hundreds of covered entities. In a sense, business associates are just couriers. Covered entities are the real targets."
Since 2018, the attacks on business associates have doubled.
Some hospitals and health systems that have reported compromised patient information due to a third-party data breach include Seattle Children's and Houston-based St. Luke's Health.