In our Cybercrime article series, we say that it’s a good idea to check if your back door is unlocked. But what if you are the back door? In June, Massachusetts General Hospital confirmed, and named, the third party vendor who was responsible for the cyberattack and security breach that exposed over 4,000 records. Being called out by a hospital as the cause of a security breach can be a death knell for your digital health business. And that’s just one instance where the vendor was identified as the cause.
Healthcare data is a hot commodity on the black market, driving an explosion in cyberattacks. Which means if you’re a third party service provider that wants to stay in business, cybersecurity vigilance is mandatory. If you can demonstrate to prospective clients that you’re already running a tight ship when it comes to cybersecurity and risk mitigation, you are better placed to win and retain business.
How Do I Avoid Being the Weak Link?
Ask yourself a few key questions:
- Do you know what client PHI you have access to, where it is and who is accessing it?
- Can you demonstrate your security and verify compliance quickly for your clients’ peace of mind? The key here being ‘demonstrate’ not simply ‘attest’.
- Do you understand the security risks within your organization and have a plan in place to mitigate them?
If you can’t answer those 3 questions, maybe your back door is open wider than you think. Or at least, the deadbolt isn’t locked and the alarm isn’t live.
Is it fixable?
The first step to getting on the right track is to manage your information security risk. That means a thorough security risk analysis is in order. We add “thorough” because if you’re not, you’ll be caught out, much like OHSU ($2.7 million fine), which did conduct fairly regular risk analyses. Regrettably, those either missed risks pertaining to ePHI or those identified didn’t get fixed.
Secondly, manage your compliance and information security program in a way that’s transparent to your business partners and clients. Let them see what you’re doing for training (people remain the greatest risk), certifications, asset management and ongoing risk mitigation. The less time clients need to spend worrying about you, the more valuable your services become.
Interested in learning more about streamlined, transparent cybersecurity, risk mitigation and information security compliance? Contact Ostendio about our easy-to-use, cloud-based workflow solution.