Tool: Third-Party Risk Management Guide for Medical Labs

Cyberattacks are becoming more common and brazen in the healthcare industry, prompting many providers, including medical laboratories, to review their cybersecurity and resilience plans. However, as the recent Change Healthcare cyberattack illustrates, lab leaders also need to be wary of the risks posed by any third parties they do business with that may have access to protected health information (PHI) and other sensitive data. How can labs mitigate these risks? Brad Hibbert, chief operating officer and chief strategy officer at third-party risk management company Prevalent, offers the following key tips:

When choosing a third party that will have access to patient PHI:

• Ensure you properly screen the company before signing a contract.

• Check the company’s references and any media reports to get a sense of their reputation in the industry. Have they had any compliance violations or bad press?

• Ask what certifications they have (PCI, SOC2, ISO 27001 Statement of Applicability, etc.) and ensure those certifications are up to date.

• Ask if they offer user training. User training is critical as employees are often the means for cyberattackers to breach defenses via phishing attempts, etc.

• Ask what safeguards they have in place. This includes data encryption, perimeter defenses (preventing hackers from getting in), security and privacy controls, etc.

• What change controls or resilience plans do they have to mitigate the damage if a cyberattack does occur? What about an incident response plan?

• Look at their data breach history. How many breaches have they had? What was their response to those breaches?

Signs that you may want to avoid a third-party company:

• Negative press.

• Compliance violations.

• Lack of certifications or certifications that are not up to date.

• Lack of adequate cybersecurity plans/measures.

• A history of data breaches and failure to properly address those breaches.

How to ensure a third party is properly handling and protecting patient PHI and other sensitive data

• When setting up the contract, ensure that privacy and security clauses are written into it.

• Monitor and keep the contract up to date, ensuring the third party is meeting their obligations throughout. If a possible weakness or issue is found in the contract, update it to tighten security measures, etc.

• Right-size depending on the third party. Don’t treat all parties the same. For example, a third party that is handling PHI will need a higher level of due diligence than one that’s not responsible for such information.

• Review contracts at least annually.

• Conduct an internal controls assessment into the third party’s data protection processes and measures currently in place. Be prepared to suggest remediations for areas where the third party falls short of your organization’s risk appetite.

• Monitor for any compliance violations or bad press received by the third party, if any issues are found, don’t just record or report them, ensure they are addressed in the contract, remediation plan, etc., so the risk is reduced to a level you’re comfortable with.

What lab leaders can do before a third-party data breach occurs

• Have resilience, breach response, and communications plans in place well in advance, so when a breach occurs, you’re ready to act immediately.

• Stay up to date on potential vulnerabilities. For example, one recent trend is that the software supply chain is increasingly being targeted. This involves malicious code being injected into key software used by labs and other healthcare companies.

• Explore insurance coverage for cybersecurity incidents. This is expensive but can be worth it, considering the increasing number of cyberattacks in the healthcare space.

What can lab leaders do in the event of a third-party breach involving PHI?

• Follow the steps in your resilience and breach response plans to limit the damage.

• Follow the steps of your communications plan to inform those impacted by the breach and to fulfil your obligations and requirements relating to any laws around reporting data breaches.

• Review contracts. What clauses are in place relating to cybersecurity/data security? Are there any cybersecurity issues not addressed that need to be in response to the cyberattack?

What can labs do if a third party is found to be negligent in handling PHI?

• Check your contracts with third parties. What are the third party’s obligations relating to privacy and cybersecurity?

• Check your insurance coverage for cybersecurity incidents to see what you’re covered for.

• Legal action against the third party may be warranted, particularly if the lab lacks insurance coverage for cybersecurity incidents, depending on the situation and the resources the lab has available.

Steps labs should take when they move on from a third party that handles patient PHI

• Ensure that the third party destroys any PHI and other sensitive data in their possession.

• “Follow the chain” to ensure that any additional parties the third party works with destroy the data as well.

• • Ensure you get a validation that the third party and all relevant entities they work with have destroyed the data, and be sure to limit physical and logical access to data as well.