X Close Search

How can we assist?

Demo Request

The $17.5 Million Warning: How to Avoid Costly Third-party Data Breach Settlements

Learn essential strategies to mitigate costly third-party data breaches in healthcare and strengthen your organization's cybersecurity posture.

Data breaches are expensive and avoidable. In healthcare, third-party vendors are a growing target, with breaches costing millions in settlements and damaging reputations. In 2023, 133 million health records were exposed, and third-party attacks rose 287% from the previous year.

Here’s how to protect your organization:

  • Assess Vendors Regularly: Evaluate all vendors based on their access to sensitive data and systems.
  • Monitor Continuously: Track changes in vendor security and compliance in real time.
  • Strengthen Contracts: Include clear breach response terms, indemnification clauses, and financial safeguards.
  • Follow NIST Guidelines: Use a structured framework to manage risks and improve incident response.

Enhanced Vendor Risk Assessment | Tony Turner

Third-party Security Risks in Healthcare

Cybersecurity threats in healthcare are on the rise, fueled by the growing reliance on third-party vendors. The interconnected web of systems and service providers creates numerous opportunities for cybercriminals to exploit.

Current Vendor Risk Landscape

Healthcare organizations rely heavily on a wide range of vendors, from medical device suppliers to business associates. A ransomware attack on Change Healthcare in February 2024 demonstrated the scale of potential damage, affecting nearly 900,000 physicians, 33,000 pharmacies, and 5,500 hospitals [2].

Interestingly, attacks targeting business associates now surpass those aimed directly at healthcare providers [5]. By compromising a single vendor, attackers can infiltrate multiple healthcare organizations simultaneously.

Risk Indicator Percentage
Lack of vendor visibility 63%
Challenges in managing vendor access 73%
Ransomware incidents in third-party breaches 66.7%

Key Findings from the Settlement Case

Unauthorized access plays a significant role, accounting for 51.7% of publicly reported incidents [1]. Software vulnerabilities, especially those tied to delayed patching and zero-day exploits, are a major concern. In 2024, a flaw in the HealthEC population health management platform impacted 17 healthcare organizations [1].

"Bad actors have it figured out: Why hack or attack 1,000 hospitals when they can target the one common business associate and get all the data or disrupt all the hospitals that depend on that single mission-critical third-party provider?"
– John Riggi, National Advisor for Cybersecurity and Risk, AHA [3]

Healthcare Security Regulations

Managing third-party risks in healthcare also means navigating a maze of regulatory requirements. Failure to comply with HIPAA and HITECH can lead to steep penalties, ranging from $100 to $50,000 per violation, with a maximum annual fine of $1.9 million [7].

Business associates share the same legal obligations as healthcare providers under these regulations [6]. This shared responsibility model pushes healthcare organizations to:

  • Conduct thorough vendor risk assessments
  • Enforce strict security requirements in contracts
  • Continuously monitor vendor compliance
  • Keep detailed records of security incidents and responses

"The reality is your attack surface is much bigger than the stuff you can control. But the good news is, you can assess and monitor your extended ecosystem to spot vulnerabilities, take action and avoid catastrophe." [5]

These regulations emphasize the importance of rigorous vendor risk assessments, which will be explored further in the next sections.

Steps to Improve Vendor Risk Management

A staggering 98% of healthcare organizations work with at least one vendor that has experienced a data breach, managing an average of over 1,300 vendor connections [8]. These numbers highlight the need for a structured approach to vendor risk management.

Vendor Risk Assessment Steps

A well-defined vendor assessment process helps identify and address key risks. For example, in February 2024, Cedars-Sinai Health System used the Censinet Risk Register to engage stakeholders and prioritize patient care risks.

Here’s a breakdown of the essential steps:

  • Vendor Inventory and Classification
    Build a detailed inventory of all vendors with access to your systems or data. Classify them based on factors such as:
    • Access to protected health information (PHI)
    • Integration with critical systems
    • Impact on patient care
    • Data handling responsibilities
  • Risk-Based Assessment Protocol
    Create tiered assessment requirements based on the level of risk each vendor poses. High-risk vendors should undergo thorough security evaluations, while lower-risk vendors can be assessed with simpler processes.
  • Continuous Monitoring
    Set up ongoing monitoring to track changes in vendor security and compliance. This is especially important, as more than 35% of organizations face challenges keeping up with evolving vendor risks [8].

Incorporating recognized frameworks, like those from NIST, can further strengthen your risk management strategies.

Using NIST Security Guidelines

The NIST Cybersecurity Framework 2.0 provides a solid foundation for managing vendor risks in healthcare. It outlines six core functions - Govern, Identify, Protect, Detect, Respond, and Recover - that help organizations build a comprehensive cybersecurity program:

Function Key Activities
Govern Establish policies and align with compliance requirements.
Identify Map vendor relationships and data flows.
Protect Apply security controls and access restrictions.
Detect Monitor for suspicious activity or unauthorized access.
Respond Develop and execute incident response plans.
Recover Create business continuity strategies.

Following these guidelines can streamline processes, improve automation, and enhance risk tracking with modern tools.

Risk Management Tools

Advanced risk management platforms simplify vendor assessments with features like:

  • Automated distribution and tracking of assessments
  • Real-time monitoring of security status
  • Centralized risk scoring and reporting
  • Tools for collaborative workflows

Automation is critical, as half of security leaders report difficulties managing large volumes of assessments, and over 40% face delays in completing them [8].

For example, the Censinet RiskOps™ platform helps healthcare organizations:

  • Standardize vendor risk assessments
  • Monitor compliance across all vendors
  • Provide actionable insights for leadership
  • Coordinate risk mitigation across departments
sbb-itb-535baee

Vendor Monitoring and Emergency Response

After conducting structured vendor risk assessments, maintaining constant monitoring and having a quick response plan are key to safeguarding healthcare organizations. In 2023 alone, attacks on business associates accounted for 58% of the 77.3 million individuals affected by healthcare data breaches - a staggering 287% jump from 2022 [3].

Around-the-Clock Vendor Security Monitoring

Continuous monitoring is essential for identifying and addressing threats as they arise. This method combines internal assessments with external threat tracking to ensure thorough coverage [9].

Key areas to monitor include:

  • Cyber vulnerabilities across public and dark web platforms
  • Financial health and reputation of vendors
  • Real-time changes in their security protocols
  • Leaked credentials and exposed data
  • Geopolitical risks that may impact operations

Prioritizing Vendors Based on Risk

Healthcare organizations should allocate monitoring resources based on the risk level of each vendor. Special attention should go to those managing critical services like patient care or sensitive data. Vendors can be categorized as follows:

Risk Category Monitoring Priority Key Considerations
Life-Critical Systems Highest Direct patient care impact; real-time monitoring needed
PHI Access High HIPAA compliance; increased data breach risks
Mission-Critical Services Medium-High Operational continuity concerns
Support Services Medium Assess business impact
Non-Critical Vendors Low Annual reviews may suffice

Once vendors are prioritized, organizations must also be ready to act quickly in case of an incident.

Emergency Response Planning

Quick and effective responses are essential during security incidents. Lee Kim, JD, CISSP, CIPP/US, FHIMSS, and director of privacy and security at HIMSS, emphasizes:

"The most important element of a security incident response plan is the human element. Effective, clear and timely communications are essential elements for ensuring that incident response is swift and appropriate." [11]

To ensure a robust incident response:

  1. Form Cross-Functional Teams
    Assign clear roles and establish communication channels for notifying vendors, updating stakeholders, and reporting to regulators.
  2. Document Recovery Procedures
    • Develop detailed playbooks for various types of incidents
    • Include system isolation steps
    • Outline evidence preservation protocols
    • Prioritize service restoration
    • Address compliance requirements

The risks of poor response planning became evident in January 2023, when AT&T faced a $13 million FCC fine after a cloud vendor breach exposed the data of 8.9 million wireless customers [10].

Strong vendor contracts are essential for defining security responsibilities and managing financial risks. These agreements help healthcare organizations protect themselves against third-party breaches, which averaged $9.8 million in costs in 2024 [12]. Clear terms outlining vendor obligations are a critical layer of defense.

Key Security Terms to Include

Data Protection Standards

Vendors must adhere to strict data security measures, such as:

  • Encryption for data both at rest and in transit
  • Access controls and authentication protocols
  • Regular security testing and vulnerability assessments
  • Clear procedures for data retention and destruction

Incident Response Requirements

Contracts should also address how vendors handle security incidents:

  • Breach notifications within 24–72 hours [14]
  • Detailed incident response plans
  • Protocols for preserving evidence
  • Communication plans for all stakeholders

Compliance Documentation

To ensure accountability, vendors should provide documentation, including:

  • SOC reports
  • PCI compliance certificates
  • Results from network penetration tests
  • Business continuity and disaster recovery plans
  • Insurance certificates

Financial Protection Clauses

Legal agreements must also address financial risks. Including financial safeguards in contracts helps reduce exposure from third-party incidents.

"An indemnification clause is a part of a contract where one party agrees to cover certain losses or damages experienced by another party." [13]

Key Financial Protections

Clause Type Purpose Key Requirements
Indemnification Assigns responsibility for losses Clearly defines covered incidents and damages
Liability Caps Limits financial exposure Sets specific monetary limits based on risk
Insurance Coverage Ensures adequate protection Specifies minimum coverage amounts and types
Incident Recovery Costs Defines responsibility for breach expenses Outlines terms for response and remediation costs

Examples in Practice

In clinical trials, sponsors often agree to indemnify legal claims tied to adverse drug effects. Similarly, management services agreements determine liability for regulatory breaches.

Including a "right to audit" clause is another crucial step. This allows healthcare organizations to review vendor security documentation and carry out assessments whenever necessary [14].

Conclusion: Preventing Third-party Breaches

The $17.5 million settlement involving Health Net Federal Services Inc. (HNFS) highlights the importance of strong vendor risk management. Poor oversight of third-party vendors can lead to financial penalties, harm patient care, and tarnish reputations.

Building on earlier discussions about risk assessments, ongoing monitoring, and legal protections, this case underscores the need for proactive cybersecurity efforts.

"Companies that hold sensitive government information, including sensitive information of the nation's servicemembers and their families, must meet their contractual obligations to protect it", said Acting Assistant Attorney General Brett A. Shumate [15].

The HNFS case offers clear lessons for avoiding vulnerabilities:

Key Issue Consequence Solution
False Compliance Certification $11.2M in penalties Use automated tools to monitor compliance
Delayed Vulnerability Scans Higher breach risks Implement continuous security assessments
Ignored Audit Reports Unresolved security gaps Create formal processes to address audit findings

These real-world findings emphasize the need for actionable prevention strategies. With 133 million healthcare records exposed in breaches during 2023 [4], organizations must prioritize data protection methods like encryption and tokenization [16], while continuously monitoring their vendors' security practices.

The consequences of cybersecurity lapses extend beyond organizations - they affect individuals. Acting U.S. Attorney Michele Beckwith put it plainly:

"When HNFS failed to uphold its cybersecurity obligations, it didn't just breach its contract with the government, it breached its duty to the people who sacrifice so much in defense of our nation" [15].

To put these lessons into action, healthcare organizations should:

  • Perform regular risk assessments of their vendors
  • Use automated systems for security monitoring
  • Keep detailed compliance records
  • Act quickly on security audit findings
  • Develop clear and effective incident response plans

FAQs

What steps can healthcare organizations take to assess and reduce risks from third-party vendors?

Healthcare organizations can take several critical steps to effectively manage third-party vendor risks:

  • Establish a strong vendor risk management (VRM) program to monitor and mitigate security risks from third-party providers. This includes assessing vendors' security practices and ensuring they meet your organization's standards.
  • Include security requirements in contracts by clearly outlining privacy, security, and compliance expectations during the vendor selection and contracting process.
  • Maintain a detailed vendor inventory that tracks all third-party providers, especially those with access to sensitive data, and prioritize monitoring high-risk vendors.
  • Conduct regular audits and reviews to ensure vendors comply with your security standards and address any gaps promptly.
  • Prepare for incidents by creating and practicing response plans to address potential breaches and minimize downtime.

By taking these steps, healthcare organizations can reduce the likelihood of costly breaches and protect sensitive patient data effectively.

What steps can healthcare organizations take to stay compliant with HIPAA and HITECH when working with third-party vendors?

To stay compliant with HIPAA and HITECH when working with third-party vendors, healthcare organizations should take a proactive approach to managing vendor relationships. Start by identifying and cataloging all third-party vendors, then assess each vendor's compliance with HIPAA and their ability to protect sensitive data. Prioritize vendors based on their level of access to Protected Health Information (PHI) and the potential risks they pose.

It's essential to establish a Business Associate Agreement (BAA) with every vendor that handles PHI, clearly outlining their responsibilities for safeguarding data and ensuring compliance. Regularly monitor and reassess vendors through audits and ongoing risk evaluations to address any changes in their compliance status or risk profile. By implementing these steps, organizations can better protect sensitive information and reduce the likelihood of costly breaches.

What key elements should be included in vendor contracts to reduce financial and security risks from data breaches?

To minimize financial and security risks from data breaches, vendor contracts should include several critical provisions. These elements clearly define responsibilities, enforce data protection, and establish protocols in case of a breach.

Key elements include:

  • Data Security Requirements: Vendors should commit to robust security measures, such as encryption, data classification, and secure disposal of sensitive information, ensuring compliance with laws like HIPAA.
  • Breach Notification Timeline: Specify how quickly vendors must notify your organization in the event of a breach (e.g., within 24-72 hours) and outline their responsibilities for managing compromised data.
  • Indemnification: Include clauses clarifying which party is liable for damages caused by the vendor or its subcontractors.
  • Right to Audit: Ensure your organization has the ability to request documentation and perform audits to verify compliance with security standards.
  • Subcontracting Restrictions: Clearly define whether subcontracting is allowed and under what conditions.

By incorporating these elements, you can better protect your organization from financial losses, regulatory penalties, and reputational harm caused by third-party data breaches.

Censinet Risk Assessment Request Graphic

Censinet RiskOps™ Demo Request

Do you want to revolutionize the way your healthcare organization manages third-party and enterprise risk while also saving time, money, and increasing data security? It’s time for RiskOps.

Schedule Demo

Sign-up for the Censinet Newsletter!

Hear from the Censinet team on industry news, events, content, and 
engage with our thought leaders every month.

Terms of Use | Privacy Policy | Security Statement | Crafted on the Narrow Land