LACyber: Cyber Security Blog

cyber security buffalo western new york
a division of Lincoln Archives Inc.

Ensuring Support From Medical Support Organizations

by Sally Rozumalski

Protect PII with Medical Support

You can do everything possible to keep data secure, such as invest in tighter security controls, adhere to the highest standards, diligently train staff—and yet you can still be vulnerable. Once PHI crosses from the medical organization into the hands of a third-party medical support organization, it’s now the dual responsibility of covered entities as well as these third-party vendors to ensure its safety. 

Bottom Line: You’re only as strong as your weakest link.

What is a medical support organization?

Simply put, a medical support organization is any third-party healthcare management or medical services organization, which provides administrative or medical support services to individual physicians and group practices.

One of the primary purposes of an MSO is to relieve physicians of daily business functions beyond medical necessities, so they can focus on the clinical aspects of their organizations. These organizations can range from contracting providers to information technology, medical support staff, transportation and so many more.

3 Challenges That Arise with MSO’s?

Even with the growing demand for medical support organizations to be compliant under HIPPA, many organizations are uneducated or unaware of their responsibilities regarding personal health security.

  1. Third party networks: increasing in complexity

As covered entities expand into new markets and diversify their business, many have begun to work with a broad range of third parties. As a result, it becomes increasingly overwhelming and resource-intensive to manage and monitor these third parties, or even know who to target and how much. Unlike one's employees, third parties have to be managed indirectly – which makes it all that more difficult.

  1. Limited collaboration, increased redundancies

If the assessment results are not centralized and consolidated across different levels, they could result in redundancies and double the effort where it simply isn’t needed. For example, different departments managing different third-party functions for the same company.  So, for instance, the same third-party vendor may be subject to due diligence assessments by the purchasing department, inventory personnel, and the manufacturing department.

  1. Large volumes of data, limited transparency

Third-party governance, risk assessments, and compliance monitoring involve extremely high volumes of data. It becomes increasingly difficult to make sense of this data and transform it into meaningful insights. Many times, companies are unable to uncover third-party issues or trends in a timely manner because they don't have visibility into these areas of concern. All they have is a mountain of data but no way to derive actionable information that can drive decision-making accordingly.


3 Steps to Strengthen Third-Party Awareness:

As companies strive to overcome the challenges of third-party due diligence, here are a few important steps that can be taken:


  1. Screen each third party

Companies that take the time to conduct proper background checks on each third party set themselves up to build a reputable and trustworthy relationship. They typically collect and analyze data on third-party executives, reputation, government dealings, past convictions, payment accounts, anti-corruption policies, and other critical areas.


  1. Develop a comprehensive code of conduct and policies, and communicate them effectively

Codes of conduct and policies help third parties understand a company's rules and boundaries for ethical behavior and regulatory compliance. What is important, is the way this content is communicated. Comprehensive training sessions supplemented with refresher courses are ideal. The key is to focus on what behavior is expected of third parties.


  1. Implement controls

Third parties are responsible for establishing and monitoring their own compliance controls. But the companies who hire them are also required to implement preventive, detective, and corrective controls to keep third-party risks and compliance violations in check. Controls need to be monitored, measured and tested at regular intervals through appropriate due diligence measures. Often times, covered entities turn to a Business Associates Agreement to uphold secure access to personal health information (PHI). Click here, to read about the current trends and concerns regarding BAA in our area.

For further information on how to better collaborate with third parties and gain greater visibility into risks, HIPPA violations, and PHI issues, please call us at 871-7040.

LACyber is a division of Lincoln Archives providing comprehensive Data Breach Defense Services. Lincoln Archives and LACyber are proud to be a part of Lincoln Family of Companies serving the Western New York Community since 1914.

Return to Blog Menu

Contact Information:

155 Great Arrow
Buffalo, New York
(716) 871-7040

Recent Blog Posts:

The SHIELD Act has passed… Now what?
New York state has a new law! This will drastically change our approach to data breaches, what signifies a breach and who must report, while also imposing more stringent penalties on companies for cyber security incidents! Are you prepared?
Author: Sally Rozumalski - Date: 2019-07-24
Is Tape Back Up Still Relevant?
As the years go on, tape is not going away. In fact, the technology behind tapes is improving! The question is: are there enough discussions taking place about this data back-up method?
Author: Sally Rozumalski - Date: 2019-06-13
Data Destruction, What is the Big Deal?
Ensuring the secure destruction of private data not only gives you piece of mind, but also could potentially save you thousands if not millions of dollars in data breach fines.
Author: Sally Rozumalski - Date: 2019-04-19
Can Your Smart Speaker "Hear" You?
Millions of people turn to their smart home devices for the weather, music or just a good laugh. But do you ever wonder if your smart device can actually hear whats being said, or where that information might go?
Author: Kathryn Turner - Date: 2019-04-12
The Gap in Risk Protection You Won’t See Coming
Your office network is a complex compilation of interconnected machines which cyber criminals seek to break into. So what part of your office is the most vulnerable to a data breach?
Author: Sally Rozumalski - Date: 2019-04-05
See All Blog Posts

Contact Form

Cyber Defense Plans starting at $49.99