HHS Cyber Initiative: Strengthening Your Healthcare Business Through Third-Party Security

The healthcare industry holds the most sensitive data imaginable: our personal health information. Protecting this data from cyber threats is paramount, and the US Department of Health and Human Services (HHS) just took a major step towards that goal. As part of their new cyber initiative, HHS has laid out specific cybersecurity goals for healthcare companies, including doctors, billing companies, and medical SaaS providers./

One of the most critical goals emphasizes vendor and supplier cybersecurity requirements. This means healthcare businesses must proactively identify, assess, and mitigate the risks associated with third-party products and services. Your EHR vendor, cloud storage provider, and even your email system are all part of your digital ecosystem, and their security vulnerabilities can become your own.

What does this mean for your business?

The desired outcome of the HHS initiative is the creation of robust contracts with suppliers and third-party partners. These contracts must stipulate specific security measures that align with your own cybersecurity program and Cyber Supply Chain Risk Management Plan (CSCP). The HHS has also highlighted email protection systems and Cybersecurity Oversight and Governance (CDOG) as key HICP practices for mitigating supply chain risk.

Taking Action: Protecting Your Business and Your Patients

Here are some actionable steps you can take to comply with the HHS initiative and strengthen your security posture:

  • Conduct thorough vendor assessments: Evaluate the cybersecurity practices of your existing and potential vendors, including their data security policies, penetration testing procedures, and incident response plans.
  • Negotiate clear contracts: Include clauses that obligate vendors to maintain specific security standards, promptly report breaches, and cooperate with your incident response efforts.
  • Implement HICP practices: Invest in robust email protection systems and establish a strong CDOG framework to ensure proactive cybersecurity oversight and governance.
  • Develop a CSCP: Create a comprehensive plan for managing supply chain cyber risks, outlining procedures for assessing vendors, monitoring their performance, and taking corrective action if necessary.

Compliance Beyond Regulations: Building Trust and Resilience

While complying with the HHS initiative is essential, remember that the ultimate goal is not just regulatory compliance, but building a truly secure and resilient healthcare ecosystem. By proactively managing your supply chain risks, you not only protect sensitive patient data but also build trust with your patients and partners.

This new HHS initiative is a clear signal that the healthcare industry needs to take a more proactive approach to cybersecurity. By embracing these regulations and implementing robust vendor security measures, you can demonstrate your commitment to patient privacy and position your business for success in the increasingly complex digital landscape of healthcare.


Vector Choice is here to assist and support your business with the HHS cyber initiatives. Contact us today to learn more!