Updated: Jun 12, 2019
There many lessons to be learned from a recent healthcare vendor (3rd-party) breach at the American Medical Collection Agency (AMCA) and involving Quest Diagnostics (Quest) and LabCorp laboratory services companies:
Do your own due diligence on any 3rd-parties. In all types of businesses (including healthcare), I've heard similar poor rationales for working around legal/compliance or CSO/CISOs, limiting due diligence, or softening contracts: "this vendor is the best/only provider of the capability and we need to take a dependent feature to market," "this vendor is already in place with a competitor," "this vendor has certification 'x' and have a clean incident/breach history," "we are not (yet) exchanging any sensitive data." If there is a 3rd-party breach, CSO/CISOs will inevitably be accountable even if they weren't completely aware.
Make sure that you have a complete understanding and documentation of the integration and data that is shared with the 3rd-party including: how they store and control it, how long they keep it, if they re-share it and with whom (even if sanitized), and what they are required to do (and when) if they have an incident or a breach. Any 3rd-party integration is a business, security, and privacy risk that must be reviewed and monitored.
Have regular reviews, checkpoints, and response dry runs to keep the integration and agreements current, and validate the supporting processes.
When there is an incident, carefully consider disclosure content and timing — consult with legal, business, and technical teams. Cylidify advocates transparency in general, but with control of the storyline both internally and externally. Unfortunately, the media and public often run with any available information, so we recommend limited or phased breach disclosures while taking advantage of time periods defined by contracts or regulations. Also, when multiple parties are impacted, it's usually the first that bears the brunt of the negative press (Quest in this case). Completeness is critical to avoid speculation and be well prepared for a disclosure. This is a good reason to wait for the longer-lead forensics to provide the specifics before any external disclosure. In this case, it was specifics such as: the number of individuals affected versus number of "records" or gigabytes of "data," no overt fault on Quest's part, and sensitive medical data was not included in the breach. See what Cylidify says about disclosure in a previous Ransomware post.
Partner and vendor management is difficult and complex especially when it comes to technology, security, and privacy — Cylidify is ready to help!