How Vendor Management Prevents BreachesTips on Sharpening Business Associate Requirements
Too many organizations enter detailed business associate agreements, as required under HIPAA, but then neglect to hold vendors accountable for maintaining the privacy and security of patient information, says Grillo, a managing director at the consulting firm Protiviti.
"A lot of the time, security controls are lacking," Grillo says. "If you have a mature vendor risk management program, you'll identify deficiencies."
As part of implementing a strong vendor risk management program, Grillo suggests healthcare entities conduct periodic audits of business associates to help ensure they are taking appropriate security steps.
"If a service provider or BA has access to PHI [protected health information], you need to do everything possible to make sure they have the controls in place," he says in an interview with Information Security Media Group. "If that data is lost, the cost from a financial standpoint, from a legal standpoint, as well as your reputation is astronomical."
Grillo stresses: "You can outsource the function, but you can't outsource the risk. As much as a vendor is accountable if the culprit of a breach, "it's the data owner who's in the headlines and has their reputation at stake," he says.
But before signing a contract with a business associate, healthcare entities should conduct due diligence research on the vendor.
Grillo recalls an incident in which his firm was asked to do a vendor review for a pharmaceutical industry client. "We went out to vet the vendor, which had a robust website," he recalls. But when Gillo and his team visited the vendor's "office," they discovered it was located in the renovated attic of a house. "It's unbelievable some of the things that go on when you're conducting your due diligence," he says.
In the interview, Grillo also discusses:
- Tips for improving vendor management programs;
- The most common data privacy, risk management and security mistakes that business associates make that pose the most risk to covered entities;
- How the healthcare sector compares with other industries, such as financial services, when it comes to vendor risk management practices.
As a managing director in Protiviti's technology risk practice and leader of the global incident response and forensics investigations practice, Grillo provides clients with information security and risk management services. Protiviti is a wholly owned subsidiary of Robert Half. Grillo is a Certified Information Security Systems Professional and a co-founder of the IT Policy Compliance Group, a compliance research site.