Three Ways to Keep Your Third-Party Vendors from Becoming Your Biggest Cyber Crime Liability
How many cyberattack attempts were aimed at your practice today? That’s probably not a question you get asked very often. It’s also probably something you don’t think about very often. In case you’re curious, in one of the first-of-its-kind studies, the University of Maryland tracked that hackers successfully (not just attempt to) attack an internet-connected computer every 39 seconds!
Cybercriminals are always targeting businesses of all sizes and types. And, you’ve most likely heard that their malicious intent is increasingly focused on the healthcare sector. Whether you are a single practitioner, a small group office or a large DSO, you - and your vendor relationships - are at risk.
Criminals are looking at the entire “ecosystem of vendors” linked to healthcare. Third-party vendors are seen as easier targets due to a number of potential safety and security weaknesses.[1] Vendor vulnerabilities might range from unsecure update processes to restrictive permission controls preventing them from detecting threats. And then there are the more common email phishing attacks.
The value of third-party business associates relationships isn’t in question. The main question is whether you, and they, understand the security of their services, actual requirements of HIPAA compliance and how those impact your overall security and revenue.
When it comes to preventing attacks, both the business and the business associates are accountable. Here are three proactive next steps you can take:
Step one: Renew Your Security and Compliance Commitment.
The best way to gain a foundational understanding is to do basic fact finding of your own business. How old is your practice management system? How secure is your secure email? Is your secure email fully HIPAA compliant? How many Business Associate Agreements (BAA) are currently active with your practice? What kind of services does the agreement state they provide? What kind of security failsafes do you have in place for data storage and backup? Answering these questions as best you can will give you a big picture look at the business fundamentals of your practice.
Step Two: Find out if your Vendors Are “Walking the Walk” with Security and Compliance.
Use the information you gained during your practice forensics to approach each vendor for a current cyber security conversation. With each vendor, don’t hesitate to ask specifics about their products and services and expect answers that satisfy your curiosity. If the claim is HIPAA-compliant email, insist that they walk you through every step of what makes it fully compliant and secure. For your internet, regular email, data backup and IT management, understand your business associate’s cyber protocols.
Step Three: Not Satisfied with What you Learn? Find New Vendors.
Third-party vendors are critical to your business. They also want to retain your business. If they are trustworthy, they will speak openly about what they can and can’t do for you. If it isn’t what you need, then both parties can amicably move on from one another. The Association has resources and recommendations to connect you with partners who strive to keep your data and revenue secure.
Third-party vendors can be one of your greatest weapons against these criminals. Take time to understand your own vulnerabilities and have direct conversations with your business allies. You both will be more confident in the partnership when you do.
VDA Services endorses iCoreExchange HIPAA-compliant email. iCoreExchange not only meets or exceeds every compliance and security requirement, it also allows you to attach as many large files as you want to any single email. Speed up your workflow, protect patients and your practice. Click here to check out this convenient and compliant service or call 888.810.7706. VDA members receive a substantial discount on iCoreExchange.
[1] https://cybersecurity.criticalinsight.com/2021_healthcare_data_breach_report