When a third party vendor is breached and their contractor's data is compromised, it's not always clear who is responsible and what the next steps should be.
Take Anthem's latest data breach, which occurred in July 2016 but wasn't publicly disclosed until a year later. An employee of its subcontractor, LaunchPoint Ventures, was reportedly involved in identity theft-related activities that exposed the data of 18,580 Anthem members. The only tie the employee had to Anthem was through its LaunchPoint contract, yet Anthem was responsible for notifying its customers.
Can Anthem now terminate its contract with LaunchPoint? It depends on the wording of their contract, says Tim Feldman, vice president and general manager of healthcare compliance and reimbursement at Wolters Kluwer Legal and Regulatory U.S. If the terms of a contract are violatedthen the scorned company may be able to terminate the contract. But if both parties did their due diligence despite the "never event" breach, then the contract will likely not be breakable.
Considering cybersecurity in hospital-vendor contracts has become increasingly important, especially since protected health information is so valuable on the black market, advises Mr. Feldman.
For example, a comprehensive personal profile — including personally identifiable information, Social Security number, appointment schedule, date of birth and insurance ID — might sell for $5 underground. But, cybercriminals have also charged $500,000 for a hospital's complete EHR database. This stolen data can be used to procure drugs, create fake identities or obtain medical insurance.
Keeping this in mind, there are a number of cybersecurity concerns hospitals and insurers should consider when contracting with third parties. But, there is no such thing as perfect security, Mr. Feldman warns.
"Both sides have to be serious about providing the absolute best security, but it really gets down to all the things you can do to lower your risk profile," says Mr. Feldman.
He recommends both providers and vendors begin by documenting a strategy, and they must both understand their states of cyber readiness. What's especially important, he says, is that a provider understands it is not entitled to off-load all the partnership's risk onto a vendor, although vendors must understand they will be held to a higher level of scrutiny in healthcare.
He suggests risk assessment frameworks, like the National Institute of Standards and Technology or the Health Information Trust Alliance, as a good starting point. These frameworks allow organizations to evaluate their risk for a cyberattack. The data provided by a risk assessment may help organizations address potential threats proactively and plan their budgets accordingly. In fact, a vendor's choice in cybersecurity framework may impact a provider's choice in vendor. If an organization is aware of a specific vulnerability, it should be more diligent when selecting its vendor, he says.
Mr. Feldman also recommends partners define cybersecurity best practices to know how to adequately respond to breaches, develop systems to identify inappropriate data access — such as using automation to monitor computer logs — and protect their data from both external threats and insider hacks. Most importantly, he says both parties must educate and train their employees.
"Optimally, ensuring the privacy and security of PHI is really a team sport," he says. "So providers need to have vendors that … are knowledgeable and competent. [They] need to be able to rely on them."
However, Mr. Feldman concludes, "You can do everything right and a system can still be hacked."
More articles on cybersecurity:
Pro-Clinton startup hacked after Hillary Clinton endorsement
OCR looking for 'big, juicy' data breach, says director
20k patients affected after Delaware oncology, hematology group hit with ransomware