BLOG SERIES, PART 4 | Outer Space and Cyberspace Are Dangerous Places
As healthcare entities seek tighter adherence to security standard frameworks such as NIST and HITRUST, more emphasis is being placed on third-party Business Associates to address data security requirements through detailed audits and security certification processes. These efforts can consume substantial resources from security and compliance teams that are already stretched thin.
Emergence of Third-Party Data Risk Management Programs
Regulatory attention on third-party data handling by Business Associates has become a major factor in setting data security priorities for 2018.
Protenus and DataBreaches.net found that in 2016, 30 percent of breaches and 30 percent of breached records reported to the HHS public breach portal were a direct result of third parties. The OCR has made it clear that organizations will be held responsible for Business Associates’ information security compliance.
To address the ongoing shortage of qualified cybersecurity professionals, outsourced managed-services are being employed to augment risk management functions. The upcoming year will be one in which security officers increasingly look to outsourced providers to augment staff shortfalls and fulfill shorter-term needs in building out security programs from the ground up.
The complex nature of auditing and managing third-party data security makes this area particularly attractive for outsourcing to firms which specialize in healthcare vendor data security such as CORL Technologies. In choosing a firm to handle vendor data security, it is helpful to engage those with familiarity and experience in healthcare data regulation compliance regarding ePHI and ePII, such as HIPAA and PCI data security requirements.
Business Associate (third-party risk management) is a focus for regulatory oversight but many organizations still struggle to give the issue proper attention. How many resources are available in your organization to properly assess and manage third-party information security? If the answer is not enough, a managed service provider may be the best option to get a thorough vendor security risk management program launched and off the ground.
Learn more about emerging trends, threats and actionable risk management steps in our annual report: Navigating the Changing Cyberspace: 2018 Healthcare Data Security Outlook. Download this free report today and share with your colleagues.
This is PART 4 of a five-part blog series highlighting Healthcare Information Security trends as we pay tribute to the anniversary of the Apollo 11 mission of 1969.
About the Author
Brian Selfridge leads Meditology’s IT Risk Management Services practice which is dedicated to delivering expertise and leadership in information privacy and security, compliance, and audit, specifically for healthcare. He advises the federal government including OCR and HHS and is a frequent presenter and sought after leader in the healthcare security and compliance industry. Contact Brian directly at firstname.lastname@example.org or follow him on LinkedIn.
 Landi, H. Healthcare Informatics, “Survey: Most Vendors Not Prepared to Comply with Data Protection Standards”. Oct. 16, 2016., Retrieved from: https://www.healthcare-informatics.com/news-item/cybersecurity/survey-most-healthcare-vendors-not-ready-comply-healthcare-data-protection-0