August was a bad month for the nationwide Bon Secours Health System, as it was forced to admit that sensitive personal data and some medical data of more than 655,000 patients had been exposed in a significant data breach.
Exposures like this are commonplace, it seems, and other than the sheer size of the loss, what makes this special? It’s this: The information was not in the control of Bon Secours, but was exposed by a third-party vendor, R-L Healthcare Management, a reimbursement optimization company based in Phoenix. (It’s important to note that we do not know that any of the exposed records were actually lost to hackers)
For the past decade or so, the intersection of wireless computing, cloud services and digital data has been both a tectonic shift and a fault line for business, nonprofits and government sectors. Just last year, a survey found 85 percent of businesses were finally ready to elevate cybersecurity to a business priority.
But the Bon Secours exposure illuminates an important lesson for businesses: Having a good handle on your own cybersecurity is not enough. You have not only a right but a responsibility to vet your partners and vendors for their security as well.
This is an area largely unaddressed by most companies. And that’s a big problem when you consider how many third-party connections you have into your internal systems or cloud-based data from point-of-sale to payroll.
Here’s a sampling of what’s happened to some large companies so far in 2016 alone:
- W2Express, an Equifax company, was hacked exposing the sensitive data of employees of all of its clients, including Kroger, Stanford University and Northwestern University
- More than a dozen companies including US Bancorp that were signed up with ADP, the payroll processing giant, had employee data SSNs breached through a weakness in its portal system
- In the health care space, another vendor, Bizmatic, an electronic records provider with more than 15,000 client practices nationwide, was infected with malware. The extent of that infection is still being uncovered.
There are positive steps that all companies regardless of size should take.
1. Develop an inventory of all third-party vendors and partners, key contacts, emergency numbers (note: you should have this for your emergency plan anyway), the access they have been granted, the purpose it was for and the date it was last reviewed. If you don’t know the answer to those last questions, you have some work to do to get control.
2. Develop a standards and practices review to help you assess the strength of a vendor or partner’s internal security. Bitsight, the security assessment and mitigation company, has 40 questions you should ask. Many small businesses will want to narrow that list to a more manageable number of key questions, including: How is your IT managed? What security processes do you use internally to detect breaches? Have you ever had a security breach? Do you use penetration testing through qualified external vendors to identify weaknesses?
3. Make security part of your contracts. The details of any vendor’s access to your data, your internal network or cloud-based systems need to be clearly established in their contracts or as an addendum to an existing contract. No provider who can be trusted with your information will resist these provisions.
4. Scale access appropriately. One size does not fit all. You need to able to give a vendor only the access they must have to fulfill their agreement, nothing more.
5. Establish regular security reviews to assess internal and external access for appropriateness. A vendor whose contract has expired may still have access into your systems. Quarterly reviews are essential to managing your internal risk.
6. Monitor and manage the relationship actively. This is an area that, when handled proactively, may prevent breaches. For example, knowing when your third-party vendors are planning system upgrades can spark a conversation about how your data will be protected during the move. Having that conversation certainly can’t hurt.
Managing your risk involves a much more proactive approach to security that reaches beyond your internal systems. While the vendor may bear culpability, the responsibility to protect your customers’ data is yours. The vendor may get the fine, but your reputation will take the hit.
Is your medical and personal data safe in your doctor’s hands? You decide:
Risk: Some 47 percent of Americans had their medical records hacked in 2015, according to a report from a cybersecurity think tank. The Health and Human Services Department put a number to that and reported 113 million medical records had been stolen in 2015 alone.
Reward: A medical record sells for about $60. Compare that to a Social Security number at $10 or a mere credit card from $1 to $3, according to Fast Company.
Response: Thanks to those numbers, health care providers are taking security even more seriously. So are oversight organizations that levy fines to hospitals and medical practices whose security lapses expose patient data. HHS’s Office of Civil Rights resolved 9,407 HIPAA violation cases in 2012. Just two years later, the number of violations more than doubled to 17,748. Since last November, federal regulators levied fines totaling $16 million to just five health care entities that were breached.