5 Lessons Learned: Avoiding the Quest Data Breach

In June, both Quest Diagnostics and LabCorp announced breaches via the American Medical Collection Agency (AMCA). Through the third-party vendor, nearly 20 million records were breached over the course of eight months—an eternity.

Thankfully, this is way longer than the average—not that the average is good. Healthcare organizations allow an average of 36 days to pass between initial security intrusions and detection, followed by an additional 10 days to contain it.

This information spells trouble for organizations that don’t take third-party risk seriously. While we might never really know what precautions Quest Diagnostics and LabCorp had in place, it’s only natural to consider missteps each company may have made in defending its data. Keep reading for five common third-party risk mistakes, so you can avoid the same fate.

1. Decentralized Information
Firms that deal with vendor risk on a case-by-case basis with multiple systems, policies, and frameworks are muddling their third-party risk programs. While such firms might be addressing the majority of issues on a case-by-case basis, they’re not getting a comprehensive picture of risk. This is because risk is best managed with a consistent framework that’s monitored and analyzed from a single point of view. Not analyzing and managing risk from a place of consistency puts firms at risk of failing to capture the full lifecycle and range of third-party relationships, which may create inefficiencies, blind spots, and inconsistencies.

2. No Common Standards
Every industry is different, so it’s only fitting that third-party risk management practices vary significantly for each. This is in part due to organizational differences, but more broadly due to the absence of commonly observed best practices. For example, the composition of teams conducting due diligence and onboarding of vendors varies exponentially from firm to firm.

3. Leaving Out Important Stakeholders
Typically, the department involved at the beginning of a third-party relationship (often procurement) isn’t always who manages it moving forward. This creates the potential for gaps in oversight and communication as information is handed from one department to another. Including all relevant personnel from the get-go of a relationship ensures coverage and consistency.

4. Erratic Assessments
Continually assessing the value of a vendor often falls to the wayside on a manager’s long to-do list because of competing priorities and the uneventful nature of successful relationships. While most firms understand the importance of performing risk assessments at the outset of a relationship, prioritization and energy to continue evaluations at regular intervals can wane over time.

5. Too Little Too Late 
All companies eventually run into issues sourcing vendors. Though a division may have a spectacular idea, create a top-notch business case, and receive approval, they still might discover an issue with one or more vendors down the line. Entire projects can be derailed because third-party risk management was not considered at the genesis of a project.

Third-party risk continues to be an area of vulnerability for every organization—but especially healthcare organizations that deal with the most sensitive of data. When other organizations get into hot water, it’s important to consider potential missteps and apply learnings to avoid the same fate for your organization.