by Erich Falke — excerpted from ePlace Solutions
At the heart of the recent Facebook/Cambridge Analytica scandal is a third-party vendor gone rogue. What can you — as a physician, group administrator, or agent — learn from the scandal?
Though outsourcing is a necessary part of business operations, vendors are a risk. And when it comes to managing vendors, vendor risk needs to be a foundation piece of your cyber security program.
In the case of Facebook, an authorized app developer legitimately accessed Facebook users’ information, but acted without authorization when sharing that data with Cambridge Analytica. Now, Facebook faces serious legal and regulatory fallout thanks to a third party.
Health care providers face similar consequences when they fail to properly employ security measures for third party vendors. A physician practice in New Jersey was recently fined for failing to protect the privacy of more than 1,650 patients whose medical records were made public as a result of a server misconfiguration by a private vendor.
It was alleged that the group failed to conduct a thorough risk analysis of the third-party vendor and failed to employ security measures. Even though the vendor caused the breach, the data belonged to the physician group and they were required to protect it. The group paid more than $400,000 for the vendor’s mistake.
How to reduce vendor risk
- Develop a vendor management program that classifies vendors based on the risk they present. It should include procedures for selecting, maintaining, and terminating vendors, and guidelines for making an employee (or several) responsible for vendor management.
- Do your research. Require vendors to complete questionnaires about their security practices before hiring them. Ask them to provide a recent security review, as well as a report that lists their security controls. Reputable vendors will have these because other companies will have asked for them. If vendors do not have them or complain about the request, do not hire them.
- Include important contractual clauses in vendor contracts, such as suspected breach notification, indemnification clauses, rights to audit, and subcontractor provisions.
- Adhere to data minimization principles. If vendors don’t need the information, don’t give them access to it.
- Periodically audit your vendors. A contract review is not enough. If you think a vendor is not complying with a contract, follow up immediately.
- Check your cyber insurance. Does your policy extend to your vendors? Are you considered a vendor to others and, if so, how does your policy address that? Review your coverage.
Vendor management is essential, and companies will be held responsible not only for their own security, but their vendors’ security as well.
To learn more, please contact our privacy and security professionals.