HIPAA Survival Guide Newsletter June 2020

The Explosion of Third-Party Risk
Why is third-party risk exploding?
There are at least three factors in play. The first reason is the sheer volume of outsourced relationships that exist, even for small enterprises. For example, in the HIPAA space, the “average” covered entity (“CE”) is said to have approximately twenty-seven (27) business associates (“BA”). However, mid-size CEs likely have hundreds of BAs and large CEs have BAs that almost certainly number in the thousands. But the fun does not end there. Why? Because BAs also have BAs. Therefore, it does not take a rocket scientist to figure out that third-party risk is an exponentially complex problem.
If you are a “cowboy healthcare startup” solely focused on technology and
not giving compliance and cybersecurity (CyberCompliance™) its just due,
then you will never cross the chasm to play with the big boys..
The second factor is that regulators are paying more attention even though the Office of Civil Rights has relaxed a few regulations in light of COVID-19. It seems that every day we are bombarded with news of yet another data breach. If your organization’s Breach makes headline news, you can bet that one of two regulators (in the U.S.) will come calling. If it is personally identifiable information (“PII”) that was breached, then the Federal Trade Commission will be knocking at your door. If it was personal health information (“PHI”) then OCR will be the agency paying you a visit.
Moreover, assuming the latter, if the Breach is greater than five hundred (500) records, which is really a small Breach, your organization is going to end up on Health and Human Services’ infamous wall-of-shame. You are not going to have a good day. The bottom line is that there is significantly more scrutiny on public breaches, and that trend is not going to subside anytime soon, no matter which party controls the levers of power. Today, it is simply unacceptable to have thousands of your customers’ records available on the “dark web” for sale to the highest bidder.
That leads us to the third factor. What is the value of your organization’s reputation? Everything. That’s it; there is no other answer. If you take a big enough hit to your reputation your brand may be so damaged that recovery is impossible. Sure, if you are a large CE you may recover. Why? Because the latter have pseudo-monopoly market share in certain regions. They can’t generally be disrupted out of existence. That doesn’t mean that a significant breach is a non-trivial event for a large CE. It simply means that, unlike a small-to-midsize BA, they are likely to survive.
So, if you are a “cowboy healthcare startup” solely focused on technology and not giving compliance and cybersecurity (CyberCompliance™) its just due, then you will never cross the chasm to play with the big boys that your venture is likely depending on for its survival. The big boys understand that third-party risk can cause serious damage to their brands. They are not about to let you into the game without a thorough vetting, which will likely go beyond much more than a questionnaire, although the latter will probably initiate the process. They are also going to expect that you vet your business partners as well. Security is only as good as its weakest link. If you don’t have a good story for achieving that objective then that’s a good indicator that your CyberCompliance™ is not where it needs to be.
The questionnaire is also likely to ask that your company produce: (1) your latest risk assessment; (2) your cybersecurity policies and procedures; (3) your workforce training plan and results; and (4) potentially any number of other pieces of information that demonstrate the rigorousness of your CyberCompliance™ program. Expresso, including our BPV Portal, helps you accomplish all of this and more. Combine that with our partner’s CyberCompliance™ Healthcare Moonshot Offering and you have the instantiation of a program at a fraction of the cost (and time) that it would take to roll your own solution.
On the other hand, if you are one of the big boys, and you want to significantly reduce the time it takes to vet hundreds, if not thousands of business partners (a.k.a. business associates in the HIPAA space), then Expresso's BPV Portal will save you the daunting time, effort and costs of mailing and processing questionnaires by hand, saving tens of thousands of dollars on a yearly basis. The more business partners you have to vet the more you save. This feature alone is worth our Subscription Plan’s price of admission. In addition, you get Expresso’s other enterprise features to boot.