Health systems are taking a hard look at how their vendors and supply chain partners secure their systems against cyberattacks following a string of attacks in healthcare costing systems $10.9 million so far in 2023, according to a July 27 report from The Wall Street Journal.
Even third-party breaches of supply chain companies can be financially impactful for systems.
The Health 3rd Party Trust Initiative, an industry group of major healthcare providers, published a list of best practices for assessing the security of supply chain partners.
It says that any contract between a supplier and a health system should address, at minimum, three key things.
First, the scope of the systems and services used to support the healthcare entity should be clarified. The scope description should outline all data that requires protection. It should specify the classification of data, including if it's public, confidential or protected by regulatory expectations. It should specify where data is stored and any regulatory requirements to comply with HIPAA.
Second, consider the ownership and confidentiality of the data in the scope of governance of the data. Consider use of data during the relationship, mechanisms to secure data, what data updates are being required of the healthcare industry during the contract term, and the process for returning or destroying data at the end of a contract.
Third, understand risk management, security expectations and safeguards. Requirements for administrative, physical and technical safeguards should be addressed. Base security expectations should be based on assurance systems referenced in contracts. It is important that safeguards do not become obsolete over the term of a contract as technology evolves and new risks are discovered.