By Simon Hodgett
In today’s complex technology environment there are doubts across many sectors as to whether there is enough focus on supplier relationships and in the context of cybersecurity. Healthcare is no exception. Hospitals and other health care facilities hold vital data about their patients, staff, and medical practices. These institutions are high value targets for unscrupulous theft of data. Add to this the increasing number of connected or electronically tagged medical devices entering the health system, and the result is a rich field for criminal organizations, disgruntled insiders and others bent on mischief to penetrate and disrupt health-related systems.
An institution’s focus on cybersecurity must extend beyond locking down and monitoring its internal systems and information practices. Some of the largest data breaches, including in health care, have occurred in connection with suppliers providing services to the enterprise, not a failure of internal practices and policies. Some of these suppliers were not technology suppliers at all, but rather suppliers of non-technology related products and services who had incidental access to systems. Extending safe data practices from internal practice to suppliers involves focusing on pre-contract diligence, contract terms and attentive contract compliance management throughout the supplier relationship.
In health care systems, #data security is also governed by legislation protecting #personal health information. Such legislation recognizes the importance of suppliers in the protection of personal information. For example the Personal Health Information Protection Act (Ontario) deals specifically with the responsibility of agents and service providers with respect to personal health information, and regulations to the Health Information Act (Alberta) set out general provisions that must be included in an agreement with an “information manager”. While bearing these legislative requirements in mind, agreements with suppliers should be generally based on best practices and direct the supplier to take practical steps that will help prevent breaches and, if a breach occurs, bring the supplier into the process to solve or reduce the impact of the breach.
What to do.
The following are proactive steps that health care institutions should take to manage these risks.
Knowing the environment. First it is important to have a full appreciation of what data and systems are vital to the operation of the institution or represent a privacy or patient safety risk. The mapping of these data categories allows for risk management with respect to how such data is used internally and if, when, and how it is accessed by a third party supplier. The institution should have an inventory of suppliers and associated supplier contracts, as well as a corresponding ranking or rating of the cybersecurity risk associated with the services provided under each supplier contract. Knowing where high risk data, systems, and suppliers reside helps direct focus to the areas requiring most attention in an environment where resources for these activities are inevitably limited.
Knowing the supplier. When the decision is made that a significant data set or system is to be made accessible to a supplier, the institution should, either through a request for proposal process or other fact finding process, diligently investigate the promises and actual practices of the supplier with respect to cybersecurity. Such investigation can include security questionnaires, site visits, review of supplier policies, review of security controls, and available third party audits of security practices.
Contracting for compliance. Informed by the knowledge gained through the “due diligence process”, the contract with the supplier should include certain key provisions such as the following:
- an obligation to comply with relevant institution policies (e.g. physical security, requirements for connecting to systems, terms restricting access to and removal of data, and encryption requirements);
- an obligation for the supplier to comply with its own policies (which have been disclosed during the due diligence process);
- an obligation to comply with laws, specifically those laws in the institution’s jurisdiction applicable to privacy of personal health information;
- reference to relevant external standards, such as the ISO/IEC 27000 series of standards;
- personnel related terms, such as background checks and training;
- restrictions on subcontracting to ensure data and responsibility remains with the party the institution has vetted, unless agreed to otherwise;
- threat monitoring and penetration testing practices;
- provisions allowing audits by the institution and obligating the supplier to maintain its ongoing program of audits by third parties (e.g. annual audits of controls);
- restrictions on use of data (even if anonymized) and obligations to return or destroy data at conclusion of contract; and
- obligations to promptly notify the institution of data breaches or unauthorized access of data.Cybersecurity-related risk is not a temporary risk faced by health care institutions or other sectors of society, but instead, a permanent feature of risk management. Strong internal polices and controls are essential and extending the same significant level of scrutiny and rigor applied internally to supplier relationships is another important element in any risk reduction strategy.
- Monitoring compliance. Ensuring that promises made by suppliers with respect to cybersecurity are actually carried out is vital. The institution should ensure that as part of the inventory of supplier contracts discussed above and following the entering into of new agreements with suppliers, there is a clear understanding of the tools available to promote compliance with the cybersecurity requirements. Appropriate personnel should be required to ensure that reporting, monitoring, and audit tools in the contracts are actually exercised with reasonable frequency, especially with respect to supplier contracts that touch high risk or high value systems or data.
Simon Hodgett is a Partner in the Technology Group at Osler and a member of the firm’s Health Industry Group. Simon can be reached at firstname.lastname@example.org or at 416-862-6819.