Many healthcare professionals swear by their vendors, entrusting them with sensitive customer credit and debit card data for the purposes of facilitating billing and delivery of treatment and services. But how much do you know about the vendors that serve them?
Fourth parties may have full access to your customer data through your vendor relationships. And you may not be aware of how far downstream your customer data goes. Are there 5th and 6th party vendors touching this information? What would an audit by Health & Human Services turn up? How expensive would it be to track down the data and access granted?
Data breaches have become an epidemic in healthcare so knowing who has access to your patients’ card data, how much and how often is critical to controlling risk. Should your vendors fail to keep healthcare or payment data safe, consumers will ultimately place the blame on you.
The monetary and reputational damage can be devastating for a healthcare organization, so it is increasingly incumbent on providers to conduct proper due diligence on third parties and any parties that serve them.
At a baseline, healthcare providers should ensure vendors are adhering to PCI compliance standards. PCI is not a one-time activity but an ongoing process. Many companies fall out of PCI compliance due the labor and time involved. Organizations with good PCI practices often have experience with a security-conscious architecture.
Recognizing that it is unrealistic to comb every log file, the best alternative is to implement a common data sharing and access software platform that can share data all the way down the supply chain of vendors. This type of software allows for common, secured, and carefully logged access to your data. Each vendor, no matter how deep down the chain can be required to access data through this common exchange software. This ensures that your data is stored in a centralized, secure manner; and that all vendors that access your data are logged and authorized by your organization. This creates insight into not only who your 4th party vendors are, but also logs and organizes all access to the data in a programmatic, centralized and easy-to-audit system.
Systems that support proactive rights management enable you to monitor and control who has access to sensitive consumer data. These systems put you in the driver’s seat by notifying you when someone new is requesting access to your consumer data. You can then determine if this individual should be granted access based additional investigation with your vendor.
Implementing systems that enable control over external user access to your consumer data can help reduce the effort and expense associated with managing vendor relationships – allowing you and your compliance officer to sleep better. It’s a cost effective line of defense which can shield your organization – and your patients – from data thieves.