It was recently announced that Bonobos, a subsidiary of Walmart, was the victim of a breach that exposed the personal information of millions of their customers. However, hackers did not target Bonobos or Walmart to exfiltrate the data, instead they breached their third-party cloud service provider providing database backup services for the company. This is a fact that many in the healthcare space overlook, you can be victimized by a breach even if your organization is not the target of the attack. The key to preventing this type of incident is vendor due diligence.
Healthcare Vendor Due Diligence
Vendor due diligence is an often overlooked aspect of both cybersecurity and compliance. With the rise in cyberattacks targeting the healthcare space through their cloud service provider vendors, adequately assessing all of your business associates has never been more important.
As such, a key component of managing cybersecurity risks is sending risk assessments to any vendor that has the potential to access protected health information (business associates).
By having your business associates complete a risk assessment, gaps in their security practices can be identified. Their gaps are ultimately your gaps, so before you continue to work with them, you should insist that they address their vulnerabilities and security deficiencies with remediation plans.
What Does This Mean for MSPs and MSSPs?
When MSPs and MSSPs are contracted by healthcare organizations, the organization expects the companies they contract to offer them a complete solution with total protection. MSPs and MSSPs often do a good job in managing risks when it comes down to securing and monitoring the end-customers’ networks. However, when data is stored in a third-party cloud, tracking and protection generally falls to the cloud vendor or the end customer.
Your healthcare clients don’t have to be the target of a hack to be impacted, as further evident by the Blackbaud breach, a cloud service provider that was hacked compromising 100s of organizations and the protected health information of more than 11 million patients.
This is why it is essential to make sure you are including all of the client’s vendors and cloud tools in their risk assessments. It is your obligation as their trusted advisor to ensure that you are adequately protecting their data, that’s why they hired you!
Healthcare Cybersecurity Law 7898
Healthcare cybersecurity has become so dire as of late that a new cybersecurity bill was signed into law. The new law, known as HR 7898, requires the Department of Health and Human Services (HHS) to incentivize healthcare cybersecurity. In essence, under the new law, a healthcare organization subject to a HIPAA audit would be exonerated from culpability if they could demonstrate that they had implemented a recognized cybersecurity framework, such as NIST CSF.
Healthcare organizations that can prove, with documentation, that they had implemented a cybersecurity framework would then receive technical assistance from the HHS, rather than being fined for noncompliance.
This again provides a huge opportunity for MSPs and MSSPs working in the healthcare space. The HHS expects healthcare organizations to have a third-party implement their cybersecurity framework, and as your clients’ trusted advisor, they will look to you to do so.