Page 4 - SOUTH FLORIDA HOSPITAL NEWS MAY 2021
P. 4
Medical Organizations Face Cyber
Risks from Third-party Vendors
BY VANESSA ORR
With so many groundbreaking cyber-
attacks threatening healthcare organiza-
tions, many are upgrading their cyber pro-
tection. Unfortunately, what most don’t
realize is that the threat isn’t always from
within—the majority of cyber hacks are
coming through third-party vendors.
“Think about all of the third-party ven-
dors you have: billing companies, labora-
tories, numerous medical supply compa-
nies … the list goes on,” said Medical
Malpractice and Workers’ Compensation Tom Murphy
Specialist Tom Murphy at Danna-Gracey, could result in penalties and fines for non-
the largest independent medical malprac- compliance with HIPAA and HITECH.
tice insurance agency in Florida. “In this “AMCA filed for Chapter 11; what was
age of information technology, we are all once a strong financial company is out of
interconnected, and since a lot of compa- business because of just one breach,” he
nies share important medical and patient added.
information, that’s where they run into
trouble.” Know Your Vendors
In fact, Cyber Risk Underwriters, which Murphy recommends taking the advice
provides technology-driven cyber risk of cyber risk analyst Katell Thielemann,
insurance solutions to clients including who lists three things that companies can
Danna-Gracey, recently released a study do to help protect themselves from these
that estimates that 75 percent of its health- types of third-party issues.
care client’s cyber issues were the direct “First, know all of the industry regula-
result of their third-party vendors being tions applicable to your organization; do
hacked. your homework and understand what
“This is why we’re seeing larger health- these regulations—like HIPAA and
care organizations and hospital systems HITECH—are,” said Murphy, adding that
taking a closer look at vendor contracts other industries will have different guide-
and attempting to determine their vulner- lines and regulations.
abilities,” said Murphy. “These types of “Second, assess the security and risk
breaches can result in serious financial management profile for all of your ven-
loss and reputational loss, as well as fines dors; before you contract with them, find
and penalties for breaching HIPAA and out what kind of security and risk man-
HITECH (Health Information Technology agement they have in place to protect
for Economic and Clinical Health Act) themselves and your vulnerable informa-
guidelines. That’s why some healthcare tion.”
organizations are mandating that their Lastly, healthcare companies should
third-party vendor provide proof of their know what information needs to be pro-
own cyber insurance or complete a cyber- tected. “What types of information do you
security certification.” both share? How are you going to protect
To earn this certification, a company is it? This seems like common sense, but it
analyzed by a reputable cyber security often gets overlooked when signing con-
organization that assesses its systems to tracts,” advised Murphy.
determine the level of accessibility and He adds that healthcare organizations
vulnerability. It then provides recommen- are at even greater exposure with the
dations or assists the company in putting changes brought on by the pandemic.
protective processes in place. “Simply by using remote services and tele-
“In this day and age, there’s no way to health, healthcare organizations have
be 100 percent protected because cyber become greater targets,” he said.
security is a moving target; criminals find “Companies involved in the cyber world
new ways every day to breach cyber sys- have confirmed seeing a large increase in
tems,” said Murphy, “It’s a constant battle attacks and exposure.”
to keep up.” Proactively making sure that medical
Without taking these steps, however, and patient information is safe can help
companies can find themselves in a world prevent long-term fallout.
of trouble. “If a company has done everything they
In 2019, for example, medical testing can do to follow HIPAA and HITECH; if
giants Labcorp and Quest Diagnostics they have done their due diligence, have
were both using American Medical the proper protocols and coverage, and
Collection Agency (AMCA) as a third- make sure their third-party vendors have
party vendor. When that company was the proper protocols in place, then they
breached, more than 19.4 million patients’ are typically okay in terms of government
information was determined to have been fines and penalties if a breach occurs,”
exposed over the course of a year. said Murphy.
“Quest and Labcorp had to step in and “On the flip side, they will still have
get their insurance and public relations financial issues and reputational damage,”
firms involved, and as of today, they are he added. “That’s why it’s important to
still dealing with financial ramifications, work with a really robust cyber protection
as well as huge damage to their reputa- company; not only to get insurance in
tions,” said Murphy. “They are also facing case a breach occurs, but to be proactive
a number of class-action lawsuits in feder- in preventing this exposure from happen-
al courts and in multiple states.” ing.”
He added that while the companies can
likely withstand these financial issues For more information, contact Tom
because they had the proper insurance Murphy or Matt Gracey at
coverage, they now have to worry about (800) 966-2120 or
ongoing government investigations that
visit www.dannagracey.com.
4 May 2021 southfloridahospitalnews.com South Florida Hospital News
