The United States Department of Veterans Affairs (VA) is a federal agency that provides comprehensive healthcare services, benefits, and support to military veterans and their families. The VA operates a nationwide system of hospitals, clinics, and benefits offices focused on ensuring the health, welfare, and dignity of those who served in the United States armed forces.
As with many modern organizations, the VA has undergone a digital transformation, resulting in a greater emphasis on cybersecurity measures. This evolution has also increased the importance of establishing third-party risk management programs to protect veteran data that third-party vendors use.
In this blog, we’ll explore third-party risks that could compromise U.S. veteran data and how proper third-party risk management strategies can secure data across your entire vendor inventory.
Explore G2’s #1 Third Party & Supplier Risk Management Software, UpGuard Vendor Risk >
U.S. veteran data used by the VA
The VA uses a wide range of veteran data to provide care and services to military veterans. Depending on the third-party service provider used by the VA, vendors may also have access to this data—making third-party risk management a priority for data security and protection.
Examples of customer data used by the VA include:
- Personally identifiable information: Full names, social security numbers, birth dates, and contact information used to identify and ensure veterans receive correct benefits and services
- Health information: Medical records detailing veterans’ physical and mental health histories, diagnoses, treatment plans, medications, lab results, and other notes from healthcare providers that support healthcare services across VA facilities
- Military service records: Details about a veteran’s service, including branch, rank, dates of service, deployment history, service-related injuries, and discharge status, are used to determine eligibility for benefits and services
- Financial information: Insurance policies, including government-sponsored and private insurance, which coordinate benefits and payment for a veteran’s healthcare services
There are also other categories of personal data used by the VA, including claims information and mental health counseling records. The VA's large amount of data makes it a prime target for cybercrime, creating security risks within the organization and for the VA’s third-party vendors.
Third-party security risks that compromise U.S. veteran data
The VA is no stranger to security risks. In 2020, hackers accessed VA systems with social engineering techniques to exploit authentication protocols, resulting in a data breach affecting over 46,000 veterans. After his breach, the VA published information specifically for veterans on personal data security and ramped up its cybersecurity efforts to prevent future security incidents.
The threat landscape of third-party risks continues to grow as organizations like the VA utilize vendors for business operations. Third-party vendor relationships present a variety of security risks that could impact U.S. veteran data, including the following:
- Data breaches and cyber attacks
- Insufficient data protection measures
- Compliance risks
- Data transfer risks
- Insider threats
These third-party risks pose challenges for an organization and can have devastating consequences if not managed properly.
Data breaches and cyber attacks
One of the most significant cyber risks facing veterans is the unauthorized access or disclosure of their personal and health information due to cybersecurity vulnerabilities in third-party systems. Third-party vendors provide services to the VA but are not part of the VA's information technology infrastructure, so they may follow different security protocols. These vendors include contractors, service providers, and partners accessing veterans' data.
Cyberattacks, such as hacking, phishing, and ransomware, can exploit weaknesses in third-party defenses and lead to the exposure of sensitive data. For instance, cybercriminals can access veterans' personal and health information if a third-party contractor's system is hacked. This information is often used for fraud, such as identity theft, financial fraud, or insurance fraud.
Insufficient data protection measures
Third-party service providers may not always have sufficient data privacy methodologies to meet the rigorous standards set by the VA and federal regulations, like the Federal Risk and Authorization Management Program (fedRAMP). Poor data protection measures include inadequate encryption, weak access control protocols, and insufficient data backup and recovery processes.
Inadequate encryption can leave sensitive data vulnerable to cyber threats, while weak access control protocols allow unauthorized personnel to access confidential information. Additionally, insufficient data backup and recovery processes may result in permanent data loss in an unexpected system disruption or cyber attack. Therefore, it is essential to ensure that third-party service providers implement robust security measures to minimize the risk of data breaches or loss.
Compliance risks
The VA and its third-party service providers must follow relevant laws and regulations. For instance, the Health Insurance Portability and Accountability Act (HIPAA) mandates that healthcare providers safeguard patients' protected health information (PHI) on electronic platforms. Similarly, the Federal Information Security Management Act (FISMA) requires federal agencies to adopt information security best practices to protect sensitive government data. Cloud service providers who work with federal agencies must comply with the Federal Risk and Authorization Management Program (fedRAMP), which provides a standardized approach to security assessment, authorization, and continuous monitoring.
When third-party providers fall short in complying with these laws and regulations, it can lead to legal and regulatory consequences. Such consequences include hefty fines and penalties, reputational damage, and litigation. Additionally, non-compliance with regulatory requirements increases the potential for data breaches, putting sensitive information at risk of falling into the wrong hands and significantly harming individuals and organizations.
Data transfer risks
Transferring data between the VA and third-party service providers is a complex process that requires careful consideration of various security risks. One of the most significant risks associated with this transfer is the potential for security breaches. These breaches could occur during data transmission or storage, leading to unauthorized access to confidential information.
One primary factor that increases the risk of security breaches is using unsecured networks for data transmission. Data transmitted over an unsecured network is vulnerable to interception by unauthorized individuals in what is known as an adversary-in-the-middle attack. Similarly, storing data in less secure environments can also increase the risk of security breaches since these environments may lack the necessary security protocols to protect data from unauthorized access.
Insider threats
When third-party service providers handle veterans' data, it is important to consider the potential risks associated with the employees of those providers. If these employees have access to the data, they may misuse or disclose it maliciously or negligently. Misusing or disclosing this information presents a serious insider threat to data security and potentially national security, depending on the military service record of affected veterans.
To mitigate this risk, it is crucial to implement stringent access controls and effective monitoring by third parties. Without proper controls and monitoring, the risk of insider threats increases, which can lead to data breaches and disruptions to business continuity. Therefore, it is important to ensure third-party service providers have proper security measures regarding personnel confidentiality and security training to protect veterans' data and prevent unauthorized access or disclosure.
Third-party risk management strategies to protect U.S. veteran data
VA organizations can implement various third-party risk management strategies to minimize the security risks listed above. These strategies are directed towards managing risk, specifically data protection in third parties, and ensuring veteran data is secured at every level of access beyond the VA. The sections that follow offer recommendations for specific risk management strategies.
Comprehensive due diligence
Vendor due diligence refers to conducting a comprehensive security screening of third-party vendors during procurement and onboarding. This process is essential before beginning a business relationship that shares sensitive data with third-party service providers.
The due diligence process can include various processes to evaluate a service provider’s security posture. The most essential review includes assessments of a vendor’s security controls, infrastructure, and policies, as well as their compliance with relevant regulations (HIPAA and FISMA) designed to protect the privacy and security of sensitive data.
Other evaluations can include a vendor’s history of data breaches or security incidents, as well as current policies, procedures, and controls related to data protection, privacy, and cybersecurity. This evaluation should also assess their data retention policies, access controls, and encryption practices.
Thorough vendor due diligence ensures you are working with a reliable service provider who prioritizes the security and privacy of your data.
How UpGuard can help
UpGuard Vendor Risk features a streamlined approach to vendor assessments in our all-in-one platform, which provides fast and accurate risk assessments tailored to your vendor relationships.
Prioritize risk assessments based on a vendor’s risk exposure to your organization, and conduct initial assessments with our data-driven security ratings—or explore our library of industry-standard security questionnaires. Vendor Risk provides one place to assess, remediate, or waive vendor risks to create an ongoing record of your vendor’s security posture.
Learn more about how UpGuard Vendor Risk streamlines vendor assessments >
Data security TPRM frameworks
TPRM frameworks offer a set of organized approaches that organizations use to identify, assess, manage, and monitor the risks of outsourcing services or functions to third-party vendors. These frameworks usually involve processes for thorough due diligence and ongoing oversight of third-party vendors throughout their lifecycle. TPRM frameworks outline regular audits and security assessments, encouraging vendors to adhere to contractual security obligations and industry best practices.
Choosing a TPRM framework that prioritizes data security is vital to protecting sensitive data against evolving cyber threats. These frameworks provide a structured approach to vendor risk management, including identifying, assessing, managing, and monitoring the data security risks associated with external vendors. This ensures that sensitive information remains protected throughout the supply chain.
There are a variety of security frameworks that prioritize data security, including:
Organizations can ensure a comprehensive approach to data security by integrating principles and controls from TPRM frameworks to address risks from third-party vendors.
How UpGuard can help
UpGuard Vendor Risk supports aligning your vendors to industry-leading data security frameworks with our security questionnaires.
Automate your security questionnaires to get deeper insights into your vendors’ security and risk exposure with over twenty industry-standard questionnaires, including ISO 27001, NIST CSF, SIG Lite, and more. Risks are automatically identified and surfaced based on vendor responses. Remediation workflows enable you to communicate directly with vendors regarding any findings of concern.
Learn more about UpGuard’s security questionnaire functionality >
Continuous monitoring and auditing
Continuous monitoring and auditing ensure third-party vendors comply with data security standards and contractual obligations. This practice can involve periodic security assessments, penetration testing, regular security measures updates, and incident response plan reviews.
Continuously monitoring and auditing your vendors can provide valuable and timely information. This practice helps you proactively identify and address potential risks, preventing them from becoming critical problems. Regular auditing also helps you maintain transparency and accountability, enabling you to make informed decisions regarding your vendors.
By implementing ongoing monitoring and regular audits of third-party vendors, businesses can help protect their data and minimize the risk of data breaches and other security incidents.
How UpGuard can help
UpGuard Vendor Risk includes instant security ratings, which help you understand your vendors’ security posture through data-driven, objective, and dynamic security ratings.
Our security ratings are generated by analyzing trusted commercial, open-source, and proprietary threat intelligence feeds and non-intrusive data collection methods. These easy-to-understand scores are updated daily and based on analyzing each vendor’s underlying domains and security posture.
Learn more about UpGuard Vendor Risk’s security ratings >
Incident response and breach notification protocols
Proper reporting and notification protocols are critical should a security incident or data breach occur through a third-party vendor. These practices outline crucial procedures the organization and vendors must follow when security incidents occur, including defining roles and responsibilities, organizing communication channels, and establishing timelines for action.
Incident response and breach notification protocols improve data security by establishing a proactive and structured approach to incident containment. A proper incident response plan allows organizations to act quickly to contain breaches and mitigate damage, with identified communication channels and coordination efforts between an organization and its vendors. The ultimate goal is to ensure a swift and coordinated response to minimize the breach's impact, protect sensitive information, and maintain the trust of customers and stakeholders.
How UpGuard can help
UpGuard Vendor Risk helps prevent security incidents from happening in the first place with automated remediation workflows and industry-leading vulnerability detection tools.
Simplify and accelerate how you request remediation of cybersecurity risks from your third-party vendors—before they become security incidents. Our built-in workflows and remediation planners provide real-time data, progress tracking, and notifications when issues are fixed.
UpGuard Vendor Risk also lists vulnerabilities identified through information exposed in your vendor’s HTTP headers, website content, and open ports. Our free Risks and Vulnerabilities blog category focuses on specific risk findings and vulnerabilities, including how to resolve and mitigate common issues facing your organization.
Learn more about UpGuard Vendor Risk’s remediation workflows >
Regular documentation and reporting
Regular documentation and reporting refers to the systematic process of recording and communicating the findings, actions, and status of third-party risk assessments, audits, and monitoring activities. This practice involves detailed reports on third-party vendors' security posture, compliance status, and performance based on periodic reviews and evaluations.
A continuous, up-to-date overview of the organization’s third-party risk landscape will enable proactive identification and mitigation of potential security threats. Organizations can quickly address gaps and vulnerabilities before they are exploited by maintaining detailed records of vendors' security practices and compliance with agreed-upon standards.
Regular documentation and reporting ensure robust data security in third-party vendor relationships, providing a foundation for ongoing risk management and continuous improvement. We recommend conducting regular assessments alongside continuous monitoring to ensure detailed coverage.
How UpGuard can help
UpGuard Vendor Risk’s reporting feature offers tailor-made reports for stakeholders, including executive reporting, vendor risk reports, and custom report templates.
Use our prebuilt executive reporting to get insights from the platform, including average vendor security ratings and their twelve-month history, current risk category breakdowns, and a list of your highest and lowest-rated vendors.
Generate a vendor risk report with an in-depth PDF report to share with internal stakeholders and vendors, or use vendor subsidiary reports, enabling you to see an organization's security performance with multiple subsidiaries.
Learn more about UpGuard Vendor Risk’s reporting and insights >
UpGuard: Voted the #1 Third Party & Supplier Risk Management Software
UpGuard is proud to be named the #1 Third-Party & Supplier Risk Management Software in Winter 2024 by G2, the world’s most trusted peer review site for business software. UpGuard was also named a Market Leader in the category across the Americas, APAC, and EMEA regions for the sixth consecutive quarter, reflecting the customers' trust and confidence in the platform.
G2 evaluates products in the Third Party & Supplier Risk Management category based on customer satisfaction (as per user reviews) and market presence (considering market share, seller size, and social impact). UpGuard has been identified as a Leader owing to its high scores in customer satisfaction ratings and significant market presence.
