Iowa Reports Third Big Vendor Breach This Year
Latest Breach Affects 234,000 Individuals; Involves Recent MCNA Insurance Co. Hack
… Three large breaches within weeks of each other illustrates vendor risk challenges that many state agencies face, said Keith Fricke, principal consultant at healthcare security and privacy consultancy tw-Security.
Those issues include the large number of third parties that many state agencies deal with and the time it takes to conduct proper risk assessments of those vendors.
“State agencies should try to manage the scope of vendor risk assessments by starting with ones falling into these categories: third parties storing, processing or transmitting large amounts of electronic PHI – and third parties having remote access into state agencies’ networks,” he told ISMG.
Fricke also said it is critical that state agencies carefully review business associate agreements. That includes ensuring the agreements contain language that sets expectations about timely breach notification and allows the agency to conduct periodic risk assessments of the vendor under reasonable terms and conditions.
“It is not enough anymore to have the required business associate agreements signed. Covered entities need to perform some type of risk assessment on vendors with whom they conduct business,” Fricke said.
Susan Lucci, a privacy and security consultant at tw-Security, suggested that covered entities should not be too quick to sign the business associate agreement presented by a vendor. “The covered entity should exhaust all options to get the business associate to sign theirs.”
If an entity must sign a vendor’s business associate agreement, “then read every line and redline that which does not support the very best protections for the covered entity’s data,” she said.
“Particularly, review the indemnification clause. If it is not included, add yours in. If it is in favor of the BA, request stronger language. Business associates must recognize their responsibilities – including financial – when they have a data breach.”
For more information or to schedule a FREE initial consultation – contact tw-Security.
Read More
