South Florida Hospital News
Tuesday May 18, 2021

test 2

May 2021 - Volume 17 - Issue 11

Medical Organizations Face Cyber Risks from Third-party Vendors

With so many groundbreaking cyber-attacks threatening healthcare organizations, many are upgrading their cyber protection. Unfortunately, what most don’t realize is that the threat isn’t always from within—the majority of cyber hacks are coming through third-party vendors.

“Think about all of the third-party vendors you have: billing companies, laboratories, numerous medical supply companies … the list goes on,” said Medical Malpractice and Workers’ Compensation Specialist Tom Murphy at Danna-Gracey, the largest independent medical malpractice insurance agency in Florida. “In this age of information technology, we are all interconnected, and since a lot of companies share important medical and patient information, that’s where they run into trouble.”
In fact, Cyber Risk Underwriters, which provides technology-driven cyber risk insurance solutions to clients including Danna-Gracey, recently released a study that estimates that 75 percent of its healthcare client’s cyber issues were the direct result of their third-party vendors being hacked.
“This is why we’re seeing larger healthcare organizations and hospital systems taking a closer look at vendor contracts and attempting to determine their vulnerabilities,” said Murphy. “These types of breaches can result in serious financial loss and reputational loss, as well as fines and penalties for breaching HIPAA and HITECH (Health Information Technology for Economic and Clinical Health Act) guidelines. That’s why some healthcare organizations are mandating that their third-party vendor provide proof of their own cyber insurance or complete a cyber-security certification.”
To earn this certification, a company is analyzed by a reputable cyber security organization that assesses its systems to determine the level of accessibility and vulnerability. It then provides recommendations or assists the company in putting protective processes in place.
“In this day and age, there’s no way to be 100 percent protected because cyber security is a moving target; criminals find new ways every day to breach cyber systems,” said Murphy, “It’s a constant battle to keep up.”
Without taking these steps, however, companies can find themselves in a world of trouble.
In 2019, for example, medical testing giants Labcorp and Quest Diagnostics were both using American Medical Collection Agency (AMCA) as a third-party vendor. When that company was breached, more than 19.4 million patients’ information was determined to have been exposed over the course of a year.
“Quest and Labcorp had to step in and get their insurance and public relations firms involved, and as of today, they are still dealing with financial ramifications, as well as huge damage to their reputations,” said Murphy. “They are also facing a number of class-action lawsuits in federal courts and in multiple states.”
He added that while the companies can likely withstand these financial issues because they had the proper insurance coverage, they now have to worry about ongoing government investigations that could result in penalties and fines for noncompliance with HIPAA and HITECH.
“AMCA filed for Chapter 11; what was once a strong financial company is out of business because of just one breach,” he added.
Know Your Vendors
Murphy recommends taking the advice of cyber risk analyst Katell Thielemann, who lists three things that companies can do to help protect themselves from these types of third-party issues.
“First, know all of the industry regulations applicable to your organization; do your homework and understand what these regulations—like HIPAA and HITECH—are,” said Murphy, adding that other industries will have different guidelines and regulations.
“Second, assess the security and risk management profile for all of your vendors; before you contract with them, find out what kind of security and risk management they have in place to protect themselves and your vulnerable information.”
Lastly, healthcare companies should know what information needs to be protected. “What types of information do you both share? How are you going to protect it? This seems like common sense, but it often gets overlooked when signing contracts,” advised Murphy.
He adds that healthcare organizations are at even greater exposure with the changes brought on by the pandemic. “Simply by using remote services and telehealth, healthcare organizations have become greater targets,” he said. “Companies involved in the cyber world have confirmed seeing a large increase in attacks and exposure.”
Proactively making sure that medical and patient information is safe can help prevent long-term fallout.
“If a company has done everything they can do to follow HIPAA and HITECH; if they have done their due diligence, have the proper protocols and coverage, and make sure their third-party vendors have the proper protocols in place, then they are typically okay in terms of government fines and penalties if a breach occurs,” said Murphy.
“On the flip side, they will still have financial issues and reputational damage,” he added. “That’s why it’s important to work with a really robust cyber protection company; not only to get insurance in case a breach occurs, but to be proactive in preventing this exposure from happening.”

For more information, contact Tom Murphy or Matt Gracey at (800) 966-2120 or visit

Share |