Technology should always help improve workplace performance and productivity, but with all its benefits, adding third-party solutions to your environment increases your cyber-risks. Healthcare is one industry that benefits the most from technology. It speeds up patient diagnosis and improves treatment, but unknown vulnerabilities threaten patient safety. In recent years, a surge in electronic health record (EHR) technology has reduced physician workloads, but the technology has gone through some growing pains, mainly in the form of third-party risks.
Many of today’s healthcare agencies have addressed technology involved with EHR and currently provide a framework for doctors, nurses, and healthcare professionals to implement best practices. In 2020, the American Nursing Informatics Association Board of Directors documented the domains of burden¹ that affected healthcare works, and it gave third-party vendors opportunities to focus on reducing physician and nursing overhead with EHR. The six domains of burden documented were reimbursement, regulatory, quality, usability, interoperability and standards, and self-imposed. These burdens are directly responsible for healthcare worker burnout, so most hospitals and healthcare facilities work with third-party software vendors to reduce these pain points.
Adopting Third-Party Systems to Reduce EHR Burdens
During the COVID-19 pandemic, the six domains of burden were exacerbated when healthcare workers were flooded with new patients entering critical care. Physicians and healthcare professionals suffered from burnout due to the excessive documentation necessary to stay compliant in addition to supporting patients. Compliance was relaxed to support this surge of new patients, but a study² showed that emergency response physicians spent half their day on EHR and documentation platforms. Nurses spent 25-30% of their time in EHR and documentation systems. This, along with the obvious emotional trauma of those times, led to severe healthcare professional burnout, and it highlighted the importance of reducing overhead in a healthcare setting especially during times of public health concerns.
No organization can tackle all six domains of burden at once, so they often turn to third-party vendors. One resolution to EHR burdens is a system that streamlines the billing process between healthcare and insurance companies. AccuDoc Solutions, Inc. supported billing for Atrium Health, a network of medical care facilities.
While technology such as that from AccuDoc Solutions reduces physician burden, it also increases hospital attack surfaces by putting trust into a third-party vendor. In 2018, AccuDoc Solutions announced³ that the organization had suffered from a data breach and 2.65 million patient records were stolen. It highlighted the risk hospitals face when they entrust their data to third parties – and when third parties rely on other third party vendors leading to a compromise of the supply chain.
Usability is another domain of burden, and EHR technology is notoriously poorly designed for good usability. Poor usability makes data entry difficult for everyone involved in EHR maintenance, so it adds to healthcare worker frustrations. A Mayo Clinic survey⁴ asked physicians to rank EHR software usability using a scale of 0 to 100, with 0 being very poor and 100 being excellent. The overall usability score was 45.9, putting EHR technology at an F in grade school terms.
Two notable vendors – Meditech and Athenahealth – have made it their mission to tackle EHR usability concerns. However, quick research shows that both organizations have suffered from setbacks including data breaches and fines for questionable sales tactics. Athenahealth was ordered to pay $18.25 million⁵ for violating the False Claims Act (FCA), and a cyber-attack on Meditech systems caused long-term downtime⁶ for Jones Memorial Hospital, a local university care facility in Wellsville, New York.
These few examples show the risks involved in working with third-party EHR software vendors. While much of today’s EHR technology reduces burden on physicians and nurses, it adds more risk for patients, violating the key tenets of HIPAA.
Why is Third-Party Risk Management Important?
Adopting technology is necessary for better patient care, but it must be done with data protection in mind. The solution is for healthcare organizations to adopt new technology with the right third-party risk management. This often involves thorough vendor research, a questionnaire asking how vendors handle specific compliance and data protection methods, and threat intelligence to identify if a vendor has been a victim of a past data breach.
For many EHR vendors, they host solutions in the cloud or connect to cloud-based resources. The cloud improves data availability among a number of other benefits, but infrastructure hosted in a third-party data center can also increase your risk. At this point, you must decide to either accept, mitigate, or reject these risks.
Third-party risk management, often referred to as cyber supply chain risk management (C-SCRM) lets you know if a vendor takes data protection as seriously as you do. Healthcare providers are under constant pressure to protect their patient’s data, and failing to do so is costly and a harm to your reputation. Incorporating risk management into your vendor purchasing workflow is critical to compliance, and it can save your organizations on costly violations. HIPAA has violation tiers, but the worst of them can cost your organization a minimum of $50,000 per violation.⁷
One component in HIPAA compliance is risk analysis. Tying third-party risk management into your vendor choice adheres to this requirement. Most vendors that deal with EHR and patient healthcare records know that they must go through rigorous risk management procedures before their software and systems can be integrated into a healthcare provider’s environment, but it’s the responsibility of the healthcare provider to go through the right steps and identify potential risks.
What Does the TPRM Process Look Like?
Risk assessment, risk analysis and risk management should be left exclusively to subject matter experts, and most consultants have general best practices that they follow. It is important to know the ways in which they research threats, vendors, zero-day threats, and dig into unknown cybersecurity incidents. The goal is to provide you with the information that you need to determine if a vendor has effective cybersecurity controls in place or if they pose a heightened risk to your own data protection and HIPAA compliance efforts.
More importantly, a third-party risk management consultant gives you the information that you need to determine if you want to do business with any particular vendor. You may think the risk is negligible or find that the vendor will adapt to your cybersecurity requirements to do business with you. Risk assessment and management is about taking the information that you get from a vendor and determining if you can do business with them without putting your organization at risk of revenue loss, HIPAA violations, lawsuits, and loss of your patients’ trust.
Initial steps in this process involve gathering information about a vendor, usually in the form of a brief questionnaire. Information from the vendor questionnaire, as well as other means of data collection, is then compiled to generate an overall score for that vendor’s security controls. A risk score makes it much easier for a stakeholder to gauge the individual level of risk that vendor may pose, as well as an aggregate score of the healthcare company’s portfolio of third parties.
To give you a real-world example, Shopify publishes its list of level 1 and level 2 security requirements⁸ for vendors. Vendors that want to do business with Shopify must go through this list and submit answers to each line item. Some line items are easy to remediate, but others could take weeks to complete. For example, the last item on the level 2 security requirements involves an incident response plan. If you don’t have an incident response plan, it can take weeks with several man hours and often requires a third-party consultant to help a corporation put a plan together. Without one, a vendor might score low on Shopify’s risk analysis and ultimately be rejected from doing business with the platform.
After your consultant scores a vendor, the vendor is given the opportunity to remediate their gaps in security. The vendor will probably need time to remediate gaps. This often requires changes to the way a vendor does business, changes to their security infrastructure, infrastructure configurations, or changes to common employee workflows.
Using the Shopify example again, one of their requirements is limiting employee access to consumer data to only the data necessary for the employee to perform their job. To remediate excess privileges across numerous employees, a business must analyze everyone’s current permissions and revoke unnecessary privileges, which can cause issues within the organization and potentially interrupt productivity. It’s a necessary requirement, but many small businesses provide excessive privileges to employees for convenience rather than following cybersecurity best practices. These elevated privileges give attackers extensive access to data in the event of employee credential theft.
Vendors are within their rights to reject any changes to their infrastructure and productivity workflow, but it falls on your organization to decide to accept the risk. Companies will then choose to accept the risk as-is, or choose another vendor entirely. For most vendors, they will attempt to remediate these risks as much as possible to sign on a new customer.
Risk Management Doesn’t Stop After Vendor Approval
After you accept a vendor, you still must monitor for any suspicious activity. Third-party risk management consultants will continue to monitor the dark web for any potential data disclosures that link back to you or a vendor. With any data breach, time is of the essence and threats must be contained as quickly as possible. Continuous monitoring gives you real-time updates on vendor security incidents, saving you crucial hours and minutes in the wake of a data breach.
Corporations must also monitor vendor data access for as long as a vendor is connected to their network. Good monitoring systems log every data access request – both successful and denied – to identify anomalies, indicators of compromise (IOCs), a malicious internal actor, or an ongoing attack. HIPAA requires this level of monitoring within your environment, so this step should already be a part of your corporate infrastructure.
How Access Point Can Help
Third-party risk management may seem complicated, but it doesn’t have to be. Put the onus of your risk management program on Access Point. With decades of industry expertise, our consultants have the practical methodologies to keep cyber threats at bay.
Access Point’s Supply Chain Risk Management helps healthcare providers ensure that the vendors they choose are suitable for their needs, are compliant with major security and privacy frameworks, and do not add unnecessary risks to their environment. To get started with our Supply Chain Risk Management practice, meet with a subject matter expert today and see how Access Point can bring you, your patients, and your physicians greater peace of mind.
Sources
¹ https://www.ania.org/assets/documents/position/ehrBurdenPosition.pdf
² https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8612869/
³ https://www.hipaajournal.com/2-65-million-atrium-health-patients-impacted-by-business-associate-data-breach/
⁴ https://www.mayoclinicproceedings.org/article/S0025-6196(19)30836-5/fulltext
⁵ https://www.justice.gov/usao-ma/pr/athenahealth-agrees-pay-1825-million-resolve-allegations-it-paid-illegal-kickbacks
⁶ https://ehrintelligence.com/news/cyberattack-leads-to-meditech-ehr-downtime-in-western-new-york
⁷ https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
⁸ https://shopify.dev/docs/apps/store/data-protection/protected-customer-data#requirements