Identifying and Managing Risk in Health Information Vendor Relationships

Identifying and managing risk in third-party vendor relationships is key to the covered entity’s ability to ensure the confidentiality, availability, and integrity of protected health information (PHI). Therefore, reducing the risk of vendor breaches should be a primary focus.

According to the Department of Health and Human Services (HHS) Breach Reporting Website, five of the top 10 breaches in 2022 in terms of individuals affected were attributed to business associates, with the OneTouchPoint, Inc. breach topping the list by impacting 4.1 million individuals. According to SC Media, 90 percent of the 10 largest healthcare data breaches reported in 2022 were caused by third-party vendors.

Breaches can consume a covered entity’s valuable financial resources. The healthcare industry has the highest average data breach cost at $10.1 million.

Aside from cost, breaches can impact the health and safety of patients served. The 2017 Nuance Communications breach impacted their transcription platform, resulting in the potential impact to the availability of documentation necessary for ongoing patient care. Elekta, a third-party vendor of radiation therapy, radiosurgery, and clinical management services for cancer treatment providers, experienced a cyberattack in 2021, which forced some providers to cancel radiation treatment appointments due to the network outages.

Cost, patient health and safety, potential enforcement actions, and business and reputational loss drive the need for covered entities to invest resources in strong vendor risk management programs. 

Third-party vendors play an important role throughout the healthcare environment. Awareness and identification of an organization's third-party vendors is a fundamental step toward vendor management. This can be achieved through implementation of a formal contract management process.   Contract management is the process of “managing contract creation, execution, and analysis to maximize operational and financial performance at an organization, all while reducing financial risk.”

Essential Components of a Contract Management System

 A formal contract management system is the basis for reducing vendor risk. A contract management system will ensure the following key risk management components: 

• Identifying all of the vendor relationships, including a well-defined statement of work and identification of permitted data use and security obligations 
• Strong vetting with a focus on the vendors security program
• Avoiding unnecessary relationships that bring risk and do not align with organization goals and needs 
• Maintaining source of truth documents, including service agreements, business associate agreements, and security addendums 
• Ensuring service and business associate agreements contain terms and conditions favorable to the organization and that the third party has strong obligations specified to protect and secure the data

Furthermore, a collaborative review of business associate agreements (BAAs) is an important factor for a strong vendor management relationship. A thorough investigation of third-party vendors through a formal contract management process will allow the entity a greater understanding of the vendor, what services or goods they are supplying, and any risk involved if unforeseen circumstances were to occur (e.g., separation of contract, cease operations with vendor). 

Covered entities should make sure that third-party vendors adhere to federal and state regulations in addition to knowing who they are and what services they provide. According to the HHS Office of Inspector General Exclusions Program, healthcare organizations are prohibited from doing business with “excluded or sanctioned” individuals or entities. This also includes doing business with excluded or sanctioned vendors.  

Covered entities should establish a rigorous formal contract management process to make sure that all parties involved have a solid understanding of their obligation when it comes to the protection of patient health information to reduce the likelihood of a breach from third-party vendors.

There are different stages to the contract management process, but the covered entity must at the very least determine the third-party vendor's scope and confirm that they acknowledge their role as a business associate. 

Ensuring a Comprehensive Vendor Risk Review

A vendor risk review can vary depending upon several factors, including: 

• Type of data used, disclosed, collected, created, and maintained 
• Individuals who will have access and use the data 
• How the data is secured
• Where data is stored (i.e., offshore)
• How the data is transferred 

It is important to consider the various use cases for the services or products that the vendor is providing. There is no one way to identify which vendors are riskier, but using a standard risk scoring methodology that includes the likelihood and impact that the vendor will have on the organization will assist in determining anticipated risk.

A technology vendor should have a strong security posture and program, and must be able to provide satisfactory assurances that they pose a low risk. Vendors can do this by providing a security certificate such as a SOC 2 Type II certification, ISO certification, or other equivalent certification. While certifications do not guarantee that a vendor will not have security issues, a certificate provides a level of validation that the vendor has undergone a rigorous review of its security program.

In addition to a security certification, organizations may also want to conduct their own security review. This review can be done using a Standard Information Gathering (SIG) Questionnaire. A SIG can be a standard set of questions and can be configurable to allow the organization to scope the vendor through a general or comprehensive set of questions to assess vendor risk.

Some tools can be created to automate the risk score depending on how the vendor responds to the questions. A simple and standard risk scoring includes calculating the overall risk score by multiplying the likelihood and the impact with the result indicating low, medium, high, or very high risk. Organizations should review different types of risk scoring methodologies to determine the most applicable to their security program.

How often should an organization audit its vendors? Annual auditing is recommended. However, if an organization has a lot of vendors, it may not always get through every vendor on a yearly basis. Ad hoc reviews are needed based on events that happen or on service level agreements. Ideally, an organization would audit during a contract review or update, writing this stipulation into the contract.

Vendor Security Incident Management 

 A good, or even great, vendor management program will not fully protect an organization from a breach. If PHI is shared with downstream vendors, an organization expands its risk of experiencing a breach. Hopefully, a risk assessment identified any vendors as a risk, and there is a detailed security incident response plan that includes tabletop exercises. Tabletop exercises can be a great way to talk through incidents that may happen in a controlled fashion.

In the event an organization is notified of an incident by a vendor, the first thing to do is review the incident response plan and any policies and procedures. If an organization has an incident response team, it should be pulled into the investigation to determine if there is any ongoing threat to the environment that it should address.

If the vendor has completed the review, request all documentation from their investigation including: 

• A copy of the forensics analysis 
• Specific details such as what variant was identified if the incident involved ransomware or malware
• Number of customers impacted 
• A detailed timeline of events 
• Data accessed or potentially accessed, including specific data elements such as: 
  • Patient name 
  • Date of birth 
  • Social security number 
  • Address 
  • Financial information
  • Insurance information 
  • Diagnosis or procedures 

Even if the vendor determines that the incident is not a breach, an organization should conduct its own risk assessment according to the requirements found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Breach Notification Rule. Organizations should maintain all documentation to support a risk assessment determination.

The rule requires covered entities and business associates to consider at least the following factors: 

• The nature and extent of the protected health information  involved, including the types of identifiers and the likelihood of re-identification 
• The unauthorized person who used the PHI or to whom the disclosure was made 
• Whether the PHI was acquired or viewed 
• The extent to which the risk to the PHI has been mitigated 

Depending on the outcome of an investigation, the organization may need to contact its cyber liability insurance provider. Many insurance plans have specific reporting timeframe requirements. Coverage may also include investigation mitigation support. 

Lastly, review business associate agreements and underlying contracts to determine the vendor’s responsibilities in the event a breach is confirmed and requires reporting. Request that the vendor provide proof of compliance with the security rule. Ask what measures they have in place to prevent incident recurrence. How will they detect and stop future incidents quickly? And what additional safeguards are they implementing as a result of the incident?

Carlyn Doyle, MSHI, RHIA, CHPS, HCISPP, CDPSE, is compliance director at WebMD Health Corporation.

Amy Henderson, RHIT, CHPS, CCA, is regional privacy officer for California facilities at health system Dignity Health.

Lesley Kadlec, MA, RHIA, CHDA, is director of knowledge and practice at AHIMA.

Peg Schmidt, RHIA CHPS, is deputy chief privacy officer at health system Advocate Health.

Barbara Kennedy, MA, RHIT, CHPS, is HIPAA privacy officer at community health center Yakima Valley Farm Workers Clinic.

DeAnn Tucker, MHA-HI, RHIA, CHPS, CHPC, CCS, is senior manager at consulting firm Coker Group.