How to Mitigate Third-Party Data Breach Risks
University of Pittsburg Medical Center (UPMC) is one of the latest healthcare organizations to have sensitive records exposed. This breach should trigger a wake-up call for healthcare organizations -- and for all companies, for that matter -- that a rogue employee at a supplier, vendor, or other third party can wreak havoc on your business. The reality, however, is that many companies still don’t know which of their third parties has access to their personally identifiable information (PII), which is exactly what happened in the case of UPMC.
To prevent similar breaches, all companies need a plan. Assuming you already have a full inventory of your third parties, the business you’re doing with them, and what your contract with them looks like, your first step should be to establish which third parties have access to your PII.
The second step is to verify you have appropriate controls in place to regulate and monitor this access. This should include both IT and non-IT measures such as employee background checks, training, and specific user controls. Borrowing from our financial regulators: "trust but verify." Have your third parties complete comprehensive information security assessments. Include clauses in vendor and supplier contracts regarding the third party’s obligations to implement appropriate security controls, conduct background checks on employees, and more. And most importantly, companies should examine how to verify the third party is actually doing what they are contractually obliged to do.
Taking this verification step helps control the number and type of users who have access to sensitive information, ensures those users have been screened (as necessary) and received appropriate training, and makes certain your enterprise has done its due diligence by extending your compliance footprint through to your third-party network. For users with access, you must manage what they can and cannot do with the information, set access limitations, and make sure their employer provides proper training. Instituting these IT and non-IT measures helps eliminate the risks posed by human error.
It is not enough to simply conduct audits to understand third party access. Companies must monitor, track, and store access, regulations, guidelines, and potential risks in one software platform that multiple people across the enterprise can access. Having one comprehensive, centralized view helps monitor activity and gives enterprises better insight into potential risks.
Bottom line: review the PII safeguards your organization implemented and consider making those a requirement for your third parties. But first, make sure you actually know which third parties have access to your PII. Not doing so increases the risks to any organization’s revenue, reputation, and regulatory profiles.
Here are tips for working with third parties to help avoid breaches:
Know Your Third Parties: While it’s relatively easy to outsource work to third parties, it’s not so easy to know with whom you're actually doing business and who is delivering the goods or services. Companies often default to only completing due diligence and managing a limited number of high-risk or high-spend third parties – or assuming that only traditional IT vendors pose an IT risk. Review whether your policies and technology allow you to identify, assess, and manage all your third parties for IT risk (as well as other risks, of course).
Know Their Business: It is not enough to hire third parties to help your company: You also have to know what business they are doing on your behalf. Ask yourself this question: If today you had to pull a list of which of your vendors or business partners have access to employee or customer PII or your IT systems, how long would it take? If you had to contact those companies for additional information, do you have accurate contact details?
Know Their Risk: Less than half of companies regularly conduct due diligence on their third parties. While third parties typically pose some level of risk, the level of risk and seriousness differs depending on their role. For example, third parties that deal with payroll or taxes usually pose a higher risk of security to your company’s data than the evening cleaning crew. Managing your third parties based on the risks tthey pose requires knowing the risks in the first place, then having policies and procedures to control those risks throughout the life of the contract.
Know Their Access: Not knowing a third party had access to system passwords is not a valid excuse when your client’s records are stolen. Understanding what each party has access to – and why – ensures you have control over their access and can limit or deny access to sensitive information as appropriate.
By implementing these steps for knowing and managing third party access across the enterprise and keeping a close eye on who has access to PII, you will be better able to mitigate the risk of breaches associated with not knowing an employee or partner had access to sensitive information. The key though, is taking the necessary steps now – not when your organization is breached.
About the Author:
Hiperos CEO Greg Dickinson has an exceptional track record of driving innovation and revenue within the software and technology space. Under Greg’s leadership, Hiperos continues to establish itself as one of the premier solutions for third-party management.
Prior to Hiperos, Greg was CEO at Venafi, an encryption management software company. Before Venafi, Greg was senior vice president of North American sales and a member of the CEO’s management committee for Ariba. Greg joined Ariba in 1997 when it was a startup with less than $1 million in revenue. By the time he left Ariba in 2004, he was part of the executive team responsible for managing a $200 million company. Greg began his professional career as a founding member of PCNet, a computer reseller. A true visionary, Greg helped launch PCNet’s first Internet product and became a sought-after expert on doing business on the web.
Greg served in the United States Air Force, where he was the recipient of both the Air Force Commendation Medal and Humanitarian Award. He holds a master’s degree in information systems from Pace University and a bachelor’s degree in computer science from Southern Connecticut State. Follow the company on Twitter @Hiperos3PM.