Mary Chaput (1)

Mary A. Chaput

Large corporations and government agencies are increasingly suffering data breaches stemming from lax security on the part of their service providers. Investigators are learning that the gigantic breach at the Office of Personnel Management this summer may have been the result of two previous hacks experienced by its subcontractors.

In the health-care field, almost one in four of organizations reporting data breaches are service providers (called “business associates” by the Office for Civil Rights). Here are some recent examples:

  • Just last month, 40 hospitals were forced to notify their emergency-room patients when a rogue employee at their billing company (Medical Management LLC) stole their names, birthdates, and Social Security numbers.
  • Two months ago, Gallant Risk & Insurance Services notified its group health plan customers when several laptops were stolen by two thieves who broke into their administrative offices.
  • Xerox is being sued for unauthorized access when it failed to return the state computer equipment and paper records containing health information for two million people when the administrative services contract with Texas Health and Human Services Commission was terminated.

According to the HIPAA Omnibus Final Rule, health-care providers and their business associates are equally responsible for protecting health information, but covered entities (hospitals, health plans, providers, etc.) are still responsible for ensuring the notification of patients whose records have been compromised — and that can be costly.

The Future of Finance Has Arrived

The pace with which finance functions are employing automation and advanced technologies is quickening. Rapidly. A new survey of senior finance executives by Grant Thornton and CFO Research revealed that, for just about every key finance discipline, the use of advanced technologies has increased dramatically in the past 12 months.

Read More

Strengthening Service Provider Security

Here are some practical ways for organizations — not just those in healthcare — to improve data security efforts by service providers:

Conduct a comprehensive inventory of all service providers — This will likely be a long list because it should include not just electronic transaction firms but outside attorneys, IT contractors, auditors, etc.

Determine which ones pose the greatest risk – Some service providers have access to information so sensitive that its compromise could cripple your organization. Keep a watchful eye on these service providers, but don’t assume that certain types of companies are risk-free. For example, investigators now think it’s possible that the huge Target breach in 2013 started with a “phishing” expedition into a Target HVAC service provider’s website, which was connected to the retailer’s supplier portal. Some investigators surmise that the hackers gained access to the portal, then were able to burrow into Target’s payment systems.

Vet all service providers and be ready to switch if problems arise — Ask prospective partners to provide specifics on any previous breaches they’ve experienced and the remediation steps they took to prevent subsequent ones. Find out where information will be stored (overseas or U.S.) and how data will be returned or destroyed if the contract gets terminated. And it’s always wise to have a Plan B — a pre-screened service provider that can step in quickly to replace a problem-plagued one.

Carefully review all contracts — There should be language in every contract that details the service provider’s responsibilities and liabilities in the event of a breach (e.g., background checks before hire, return or disposal of heath records upon contract termination, encryption of data at rest or transmission, and notification within five working days of a suspected or confirmed breach).

Demand an annual risk analysis — Every service provider should provide annual attestation that it has performed a bona fide information risk analysis.

Thoroughly document all the above activities — This provides evidence of a good-faith effort to bolster data security, which can help reduce penalties, fines, or lawsuits arising from a breach by the service provider.

In our increasingly networked world, companies with spotless records in data security can get burned if one of their service providers gets careless. Taking these proactive measures can help ensure that every link in the security chain stays strong.

Mary A. Chaput is CFO and chief compliance officer at Clearwater Compliance in Nashville, Tennessee.

, , , , ,

4 responses to “How to Prevent Data Breaches by Service Providers”

  1. I’m concerned about “the gigantic breach at the Office of Personnel Management this summer” and that “Some service providers have access to information so sensitive that its compromise could cripple your organization. “ I think that all organisations should ask, ‘Are we at risk?’, ‘What are we doing to prevent this from happening to us?’ and ‘How are we doing relative to others?’

    I think that benchmarking can be very effective when answering those questions. Proactive organizations across different industries addressed similar security issues as early as 2005. For example, beverage brands and publishing companies started to encrypt sensitive database information to prevent unauthorized access by administrators and other power users.

    Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber attacks. According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security. I think that the sensitive data itself need to be selectively protected across all data silos.

    I also found great advice in a Gartner report, covering enterprise and cloud, analyzed solutions for Data Protection and Data Access Governance and the title of the report is “Market Guide for Data–Centric Audit and Protection.” The report concluded that “Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act.”

    The attackers are stealing our sensitive data so we urgently need to secure the sensitive data itself.

    Ulf Mattsson, CTO Protegrity

  2. Data breaches are surely becoming common place. We all really need to take steps to protect ourselves. I know one way I have protected my self is by opening a Shazzlemail account. I am rest assured that my email are safe and protected. I know it may seem small but a little step like this can go a long way when it comes to having your personal information protected.

Leave a Reply

Your email address will not be published. Required fields are marked *