Protecting the privacy & security of your patient’s health information.

BLOG SERIES, PART 4 | Outer Space and Cyberspace Are Dangerous Places

Blog Post by Brian Selfridge, Meditology Services IT Risk Management Partner

TOP RISK MANAGEMENT TRENDS FOR 2018Each time a shuttle, rocket, person or animal is shot into space, spectators watch because we can visualize and imagine the risks.  We understand a lack of oxygen, gravitational force, water and food creates extreme survival difficulties.  However, the risks and dangers of operating health practices in cyberspace are less visible.  There is no “blast-off” of your health record or financial information rocketing into the unknown with a huge fuel cloud to mark the occasion.  Still, the information is going into the great, wide unknown, often without adequate information security and risk analysis and protections.
One of the most significant risk factors is the sharing of sensitive information with third-party business partners.  Increased attention to this risk has led to the emergence of third-party risk management programs and increased focused on risk vulnerabilities within the Business Associate network. 

As healthcare entities seek tighter adherence to security standard frameworks such as NIST and HITRUST, more emphasis is being placed on third-party Business Associates to address data security requirements through detailed audits and security certification processes. These efforts can consume substantial resources from security and compliance teams that are already stretched thin.

Emergence of Third-Party Data Risk Management Programs

Third Party Data Handling is a Major Cause of Data BreachesRegulatory attention on third-party data handling by Business Associates has become a major factor in setting data security priorities for 2018.

Protenus and found that in 2016, 30 percent of breaches and 30 percent of breached records reported to the HHS public breach portal were a direct result of third parties.[1] The OCR has made it clear that organizations will be held responsible for Business Associates’ information security compliance.

To address the ongoing shortage of qualified cybersecurity professionals, outsourced managed-services are being employed to augment risk management functions.  The upcoming year will be one in which security officers increasingly look to outsourced providers to augment staff shortfalls and fulfill shorter-term needs in building out security programs from the ground up.

The complex nature of auditing and managing third-party data security makes this area particularly attractive for outsourcing to firms which specialize in healthcare vendor data security such as CORL Technologies. In choosing a firm to handle vendor data security, it is helpful to engage those with familiarity and experience in healthcare data regulation compliance regarding ePHI and ePII, such as HIPAA and PCI data security requirements. 

Business Associate (third-party risk management) is a focus for regulatory oversight but many organizations still struggle to give the issue proper attention.  How many resources are available in your organization to properly assess and manage third-party information security?  If the answer is not enough, a managed service provider may be the best option to get a thorough vendor security risk management program launched and off the ground.

Learn more about emerging trends, threats and actionable risk management steps in our annual report: Navigating the Changing Cyberspace: 2018 Healthcare Data Security Outlook.  Download this free report today and share with your colleagues.

This is PART 4 of a five-part blog series highlighting Healthcare Information Security trends as we pay tribute to the anniversary of the Apollo 11 mission of 1969. 

PART 1 | Mission Control, We Have a Breach Problem

PART 2 | GDPR: Different Galaxy, Different Security & Privacy Rules

PART 3 | Healthcare’s Space Junk: Medical Device & IoT Security

PART 5 | We Need More Astronauts: Using Managed Services to Address Cyber Staffing Shortages

About the Author
Brian Selfridge leads Meditology’s IT Risk Management Services practice which is dedicated to delivering expertise and leadership in information privacy and security, compliance, and audit, specifically for healthcare. He advises the federal government including OCR and HHS and is a frequent presenter and sought after leader in the healthcare security and compliance industry.  Contact Brian directly at or follow him on LinkedIn.

[1] Landi, H. Healthcare Informatics, “Survey: Most Vendors Not Prepared to Comply with Data Protection Standards”.  Oct. 16, 2016., Retrieved from: