Why the Facebook scandal should have you analyzing your third-party vendors

April 19, 2018

by Erich Falke — excerpted from ePlace Solutions

At the heart of the recent Facebook/Cambridge Analytica scandal is a third-party vendor gone rogue. What can you — as a physician, group administrator, or agent — learn from the scandal?

Though outsourcing is a necessary part of business operations, vendors are a risk. And when it comes to managing vendors, vendor risk needs to be a foundation piece of your cyber security program.

In the case of Facebook, an authorized app developer legitimately accessed Facebook users’ information, but acted without authorization when sharing that data with Cambridge Analytica. Now, Facebook faces serious legal and regulatory fallout thanks to a third party.

Health care providers face similar consequences when they fail to properly employ security measures for third party vendors. A physician practice in New Jersey was recently fined for failing to protect the privacy of more than 1,650 patients whose medical records were made public as a result of a server misconfiguration by a private vendor.

It was alleged that the group failed to conduct a thorough risk analysis of the third-party vendor and failed to employ security measures. Even though the vendor caused the breach, the data belonged to the physician group and they were required to protect it. The group paid more than $400,000 for the vendor’s mistake.
 

How to reduce vendor risk

  • Develop a vendor management program that classifies vendors based on the risk they present. It should include procedures for selecting, maintaining, and terminating vendors, and guidelines for making an employee (or several) responsible for vendor management.
  • Do your research. Require vendors to complete questionnaires about their security practices before hiring them. Ask them to provide a recent security review, as well as a report that lists their security controls. Reputable vendors will have these because other companies will have asked for them. If vendors do not have them or complain about the request, do not hire them.
  • Include important contractual clauses in vendor contracts, such as suspected breach notification, indemnification clauses, rights to audit, and subcontractor provisions.
  • Adhere to data minimization principles. If vendors don’t need the information, don’t give them have access to it.
  • Periodically audit your vendors. A contract review is not enough. If you think a vendor is not complying with a contract, follow up immediately.
  • Check your cyber insurance. Does your policy extend to your vendors? Are you considered a vendor to others and, if so, how does your policy address that? Review your coverage.


Key takeaway

Vendor management is essential, and companies will be held responsible not only for their own security, but their vendors’ security as well.

To learn more, please contact our privacy and security professionals.  

Previous Article
What we can learn from MD Anderson's $4.3 million HIPAA penalty
What we can learn from MD Anderson's $4.3 million HIPAA penalty

MD Anderson Cancer Center was recently fined for HIPAA violations. Let's go behind the headlines and take a...

Next Presentation
Case Closed: HIPAA and patient privacy
Case Closed: HIPAA and patient privacy

This presentation is a case study based on alleged violations of HIPAA privacy rules.

Request onsite HIPAA training from TMLT staff certified in health care privacy compliance.

CONTACT US