How Do You Weigh Vendor Risk Exposure?

vendor risk exposure risk management

When it comes to vendor risk exposure and its management, you need to know how to implement a proper program that aligns with HIPAA compliance. Because whether you’re talking Cloud Service Providers or others, a solid vendor risk management program is key to potentially how well your organization can avoid a serious PHI security incident. But how do you determine the critical components?

Obviously, you’re obligated to adhere to HIPAA, and so are your business associates, e.g., cloud service providers, clearinghouses, and so forth. The HIPAA Privacy Rule requires that covered entities and business associates that are “prime” contractors (i.e. using subcontractors) know enough about how their contractors do business to assess whether the contractor(s) are meeting their obligations under the business associate agreement.  One of those obligations is following the HIPAA Security Rule as part of managing vendor risk.  Where to go from here?

Risk Exposure Analysis: Start with Vendors Who Touch PHI

Do you know which of your vendors “touch” (create, receive, transmit, maintain, store) your PHI? If the answer is “No” or even “I think so” learn this now! Imagine the sinking feeling of getting a notification from a vendor that there has been a breach of your PHI, and you had no idea that they even had your PHI.  (#humiliatingmoments)

Once you identify every one of your vendors that touch PHI, determine the risk exposure level that each vendor brings to the organization based on how extensive that PHI contact is.

Example 1: Your janitorial service has exposure to PHI, but it’s limited in scope.  Paper PHI incorrectly left on desks or in copiers, PHI on screens where screensavers haven’t been enabled – those sorts of things.

Example 2: Your cloud service provider (CSP), likely has access to all PHI, all of your transactions, all of your logs – your whole business, in other words.

Therefore, your exposure level to a bad outcome from the CSP is exponentially more than your exposure to a bad outcome from your janitorial service.

[For more on compliance liability and your responsibilities, read my post “With Eyes Wide Open”]

Assess Vendor Security Posture & Practices

Based on the risk exposure analysis that you just completed, assess your most critical vendors security posture and practices.  There are a number of ways you can do this.  One that we like to recommend is that vendors complete a security questionnaire that touches on critical information security practices, and asks the vendor to supply policies, procedures, and evidence to back up what they tell you.

[For a copy of our Vendor Security Questionnaire_2024, please email us here, with “Send me the questions” in the Message box.]

In lieu of providing that information, if the vendor has a current HITRUST certification, or SOC 2 Type 2 Security Principle attestation, they can supply you with that report.  Require that they supply this information again at contract renewal.  Implement the process with new critical vendors.

Above all – trust but verify!  The majority of the ten largest healthcare data breaches reported to HHS in 2022 stemmed from third-party vendors. That’s a clear signal for better third-party risk management (TPRM) practices in the industry.  Remember, even if it’s your vendor that screws up, in the eyes of your customers and patients, your organization is ultimately responsible.

Julia Huddleston, Principal Consultant, holds the designation of Certified Information Privacy Manager, Certified Information Privacy Professional, and Certified (HITRUST) CSF Practitioner. Contact her or Kevin Haralson, MBA, CCSFP, CHP and Senior Compliance Analyst, for a full compliance program review, security risk analysis, or to prep for certification via the HITRUST or SOC process.