How can payers be prepared to manage third-party security incidents?
Payers should implement vendor management programs, incident response plans, and training processes to prepare for third-party security incidents.
Source: Getty Images
- Security breaches and cyberattacks occur in the healthcare space at alarming rates, creating privacy concerns for all stakeholders involved. While provider organizations are the most common entities in healthcare that experience a security incident, health plans face data breaches, too.
Since 2009, health plans have reported 778 healthcare data breaches to the Office for Civil Rights (OCR). As health plans frequently outsource various operations to third-party vendors, they must be prepared to manage third-party security incidents.
In 2022, the healthcare industry was the most common victim of third-party breaches, accounting for 34 percent of incidents, according to data from Black Kite.
The recent and hefty Change Healthcare cyberattack highlights the damages that third-party cyberattacks can cause, as many hospitals and their patients are facing reimbursement and care access issues.
Below, HealthPayerIntelligence explores how payers can be prepared to protect patient data and maintain operations during third-party security incidents.
Implement vendor management programs
Before engaging with third-party vendors or administrators to help with services such as benefit design, enrollment assistance, billing, claims processing, and compliance, health plans should implement a vendor management program.
A vendor management program includes tools, processes, workflows, rules, and guidelines to ensure vendor relationships will provide the intended benefits without excessive risk or harm.
The program assesses the vendors’ security practices, including security controls, certifications, and compliance with regulations like the Health Insurance Portability and Accountability Act (HIPAA). Performing these evaluations before partnering with a vendor can help health plans avoid vendors who may be susceptible to security breaches.
Additionally, before partnering with third-party vendors, payers must ensure that the contractual obligations include adequate security measures. The contracts should include clear provisions about security responsibilities, breach notification requirements, and liability for security incidents. The agreement should also detail how the vendor will mitigate risks and respond to breaches.
Conduct risk assessments
Once health plans have secured a third-party system, ongoing assessments are critical to maintain security measures. Health plans must also make sure their own operations are secure. In fact, the HIPAA Security Rule requires health plans, clearinghouses, healthcare providers and their business associates to conduct risk assessments of their organization.
A risk assessment helps ensure compliance with HIPAA’s administrative, physical, and technical guidelines. These assessments can identify areas where an organization’s protected health information (PHI) may be at risk.
Health plans should also have oversight strategies in place for third-party systems. Third-party risk management focuses specifically on assessing and minimizing risks associated with outsourcing to third-party vendors. Third-party risk management strategies can reduce the risk of data breaches and increase health plans’ knowledge of their vendors, allowing for better decision-making.
Continuously monitoring third-party vendors and networks can help identify signs of suspicious activity or security breaches. Risk assessments can also verify that third-party partners are meeting security obligations.
Payers can use the information found during these assessments to adjust their infrastructure as needed, including updating software, fixing security vulnerabilities, and improving firewalls and intrusion detection systems.
Protect data
Health plans must take proper steps to protect their data, so it is not entirely vulnerable when breaches or cyberattacks occur. Encrypting patient data ensures that unauthorized parties cannot read or use the data without the encryption key, and it also helps payers comply with HIPAA. Similarly, implementing access controls across a system helps ensure that only authorized personnel can access confidential information.
Multi-factor authentication is an additional layer of security that health plans might want to consider. This protocol requires users to provide more than one type of information to access an account or system. Common forms include text or voice messages with a code, time-based one-time passwords, and push notifications.
Establish incident response plans
Although precautions can be taken, payers cannot control if and when third-party and other kinds of cyberattacks occur. Therefore, it is important to have an incident response plan in place to manage the repercussions.
Before creating a plan, payers may want to establish an incident response policy that clarifies what is considered a security incident, includes who is responsible for responding to an event, and details reporting requirements.
The incident response plan is a written document that outlines the steps for dealing with a security breach, such as procedures for containing the breach, notifying impacted individuals, and communicating with regulators.
These plans aim to minimize the effect of security incidents and help operations recover in the wake of breaches. The National Institute of Standards and Technology (NIST) incident response cycle framework consists of four main elements: preparation and planning; detection and analysis; containment, eradication, and recovery; and post-incident activities.
Payers should also have data backup and recovery processes to ensure patient data can be restored following cyberattacks or other incidents that compromise data.
Communicate and train workers
Open communication with third-party vendors can make security incidents less stressful for health plans. With clear lines of communication, health plans can receive timely updates and reporting from vendors during breaches or cyberattacks. In addition, transparent and timely communication with impacted members and other stakeholders can help preserve positive relationships during security incidents.
Health plan employees and third-party vendors should be aware of best practices for managing security issues, such as how to recognize and respond to threats. Regular training sessions highlighting important standards can help staff feel more equipped to prevent and manage security incidents.
Health plans should also implement security awareness training for third-party vendors. Some vendors may already have these programs in place, but health plans should confirm the standards meet their expectations.
