3rd Party Risk Management , Governance & Risk Management
How Mega Attacks Are Spotlighting Critical 3rd-Party Risks
Regulatory Attorney Rachel Rose on Top Concerns for Healthcare SecurityRecent mega data breaches involving third-party vendors - such as the Change Healthcare cyberattack - are intensifying the spotlight on critical security risk management and governance issues for business associates and other suppliers, said regulatory attorney Rachel Rose.
When it comes to the impact of cyberattacks on third-party suppliers, "I look at it as a hub and spoke. And the trend that's very apparent to me is that cybercriminals are going for an entity that has a lot of spokes that extend into a variety of different organizations," Rose said.
"So, instead of targeting one hospital, they are going for a Change Healthcare or a SolarWinds that has a lot of healthcare clients, for example, as well as government, financial, defense," she said.
"What this underscores for me from a compliance standpoint is making sure that covered entities and business associates do adequate due diligence and really appreciate what they are attesting to in their business associate agreement."
The first part of any business associate agreement requires the parties to affirmatively state that they are aware of their obligations under federal regulations such as HIPAA and the HITECH Act, as well as relevant state laws, she said. "So, ensuring again that you're doing adequate due diligence and that you're not attesting to something that you know to be false" is crucial, she said. "It can come up later on, especially in the event of a post-breach scenario."
In this audio interview with Information Security Media Group (see audio link below photo), Rose also discussed:
- What healthcare-related organizations should consider when using online tracking tools;
- How to comply with HHS' information blocking regulations, HIPAA and various state laws that require healthcare sector firms to provide patients with access to their requested health records in the format of their choosing;
- How HHS' cybersecurity performance goals map to the HIPAA Security Rule;
- Areas in which HHS' HIPAA enforcement focus could potentially shift depending on the outcome of the 2024 U.S. presidential election.
Rose, licensed in Texas, is a fellow of the Federal Bar Association and serves as a director on the FBA's national board. She is a member of and the immediate past chair of the Federal Bar Association's Government Relations Committee and an advisory board member of its Qui Tam Section.