Third-party providers add to breach worries

The widespread use of third-party providers is a major contributing factor to data breaches involving health care institutions, observers say.

“It's a fertile area of concern,” said Celeste M. King, a partner with law firm Walker Wilcox Matousek L.L.P. in Chicago. “Hospitals may able to keep watch on what they're doing, but can they keep that same scrutiny on the vendors?”

Some studies have indicated outside providers account for as much as one-third of all breaches, said Tom Srail, Cleveland-based senior vp with Willis North America Inc.

“It's very difficult for health care organizations to manage a lot of those multivendor relationships,” which have “been dramatically increased over the last few years, mainly for the significant cost savings they seem able to obtain,” said Oliver Brew, New York-based vp of specialty casualty at Liberty International Underwriters, a unit of Liberty Mutual Group Inc.

One additional factor is that the data in the hands of these outside providers may be moved offshore, which creates a “whole new set of obligations, depending on the jurisdiction you're in,” he said.

“When you bring vendors inside the walls of the castle, they now have access to everything you have; and you might not necessarily have vetted them as carefully” as if they were employees, even if the company itself was vetted, said Robert Parisi, senior vp at Marsh Inc.'s FINPRO practice in New York.

Observers say under federal law, the health care institution and the third-party provider are legally responsible for data breaches, but the health care provider may find itself the responsible party ultimately.

Mr. Parisi said while hospitals could subrogate in cases where there is a problem with data handled by outside firms, “in many cases they're limited by contract, or they're someone who's judgment-proof or doesn't have money or is in a jurisdiction where they can be easily sued—India, for example.”

“The hospital could be the deep pocket,” said Patrick Moylan, New York-based senior associate with Dubraski & Associates Insurance Services L.L.C.

Beyond the “pretty obvious” third-party firms, such as networks, to which data is entrusted, health care institutions also should consider less apparent risks, such as the cleaning crew that “comes in several times a day and has the ability to access information,” said Mark Silvestri, Quincy, Mass.-based vp of product development and director of NetProtect at CNA Financial Corp.

Health care institutions should ensure that the outside firms to which they are entrusting information have adequate safeguards in place, said Mr. Silvestri. Risk managers also will want to ensure that they assume responsibility for any breaches, “which raises a whole range of contractual issues”—not the least of which is many providers have self-renewing agreements that were established “long before anyone paid attention to privacy,” Mr. Silvestri said.

In some agreements, “we're seeing things that were appropriate 20 years ago,” but are not today said Mr. Srail.

“Make sure those vendor contractual insurance requirements are up to date and commensurate with the risks that vendor is bringing to the organization,” he said.

In addition, be mindful that for commodity-type services, such as couriers, cleaning and document shredding, often there is only a purchase order in place that has “very little in terms of contractual provisions in allocating responsibility” in the case of a data breach, Mr. Silvestri said.