Eighty-seven million patients in the U.S. have had confidential health information breached in 2023 so far, more than double that of last year, according to a report by Atlas VPN, an internet encryption company.
This year is on pace to break the record for individuals affected in breaches. So far in 2023, there have been 480 data breaches reported in the health sector, compared to 373 all of last year.
The largest breach this year was of Nashville, Tenn.-based HCA Healthcare, in which the data of 11 million patients was affected.
Becker's recently connected with healthcare information technology security leaders from across the country, and they shared the most important precautions needed to prevent cybersecurity risks when working with third-party vendors.
Common themes among responses were to use continuous monitoring of systems and limiting data access to as few parties as possible.
"Cybersecurity departments cannot stop the progress of the cloud, managed services or hosting providers that their hospitals are onboarding to deliver patient care or to improve their operations," Adam Hawkins, executive vice president of healthcare and life sciences at IT service management company Cyderes told Becker's."The best way to protect your environment is to limit the level of access these vendors have to your critical systems and have the ability to disable it. … [It] should be a requirement that the cybersecurity department has the authority to revoke or reset this access if issues or concerns arise."
Others mentioned forming data-related contracts with security as a priority, which can include outlines of each party's responsibilities and specific instructions on how sensitive information should be handled.
"Draft comprehensive contracts outlining cybersecurity expectations, data protection requirements, and incident response procedures," Hassnain Malik, the former director of security compliance of Accolade, told Becker's. Accolade partners with healthcare providers on navigation, advocacy and other services. "Ensure vendors are contractually obligated to maintain strong security practices. In the event of a data breach or a reportable incident, they must notify the hospital and the health system. I would add additional language into the contract to say that the vendor will be responsible for all costs associated with the data breach."
Another option is creating a third-party risk management program to use when vetting vendors, such as conducting a thorough evaluation of a vendor's cybersecurity practices and security audits.
Internet technology leaders also stress the importance of due diligence.
"The crucial step for hospitals and health systems to mitigate increasing cybersecurity risks while engaging with third-party vendors is to take immediate action," Andy Price, vice president, chief information officer and chief information security officer of St. Claire HealthCare in Morehead, Ky., told Becker's. "Many healthcare organizations currently lack a comprehensive approach to third-party risk management, often deferring it to an indefinite future date. Yet this is precisely where potential security breaches are most likely to occur. Therefore, the foremost priority is to initiate the process."