Menu

We provide data protection and AI governance assurance, delivery and governance services to enterprise, SME and third sector customers around the world. Whether you need targeted support or a comprehensive programme, Securys will work with you to embed sector best practice and regulatory compliance; we help you transform data from a risk into an asset.

5. Ensuring Supply Chain & Third-Party Robustness

compliance-padlock-only

No tech company is an island; health tech firms rely on a supply chain of third-party services from cloud hosting, data storage, analytics tools and payment processors to wearable device manufacturers, AI model providers and more. But every third party that touches your data or systems is a potential source of risk. In fact, some of the largest healthcare data breaches have stemmed from vulnerabilities in the supply chain (for example, a vendor’s misconfigured server or a compromised API connection – just look at the catastrophic WannaCry ransomware attack had on the UK NHS in 2017, when the cryptoworm exploited API connections between computers that had not been kept up to date).

When you entrust sensitive personal data to a vendor, you are still ultimately responsible for its protection in the eyes of regulators and users. GDPR explicitly holds controllers liable for the compliance of their processors (and requires strict due diligence and contracts). Even under HIPAA, if a business associate (vendor) breaches PHI, the covered entity faces enforcement as well if they didn’t have proper safeguards/agreements. In the EU, lack of proper data processing agreements or failure to vet processors is one of the most common compliance failures – it’s noted that insufficient processor safeguards rank among the top causes of regulatory fines.

Key risks in the supply chain include:

  • Unauthorised access or data leaks via vendors: If your cloud storage provider doesn’t encrypt data or your CRM SaaS has a bug, your user data could be exposed. Any weakness in their security is effectively a weakness in yours.
  • Sub-processor sprawl: Perhaps you have a contract with a reputable vendor, but that vendor uses further sub-processors (e.g. subcontractors, or it outsources support to another firm). Do you know about those, and are they held to the same standards? It’s common for startups to sign up to a service without realizing data might flow to the service’s overseas affiliates or subcontractors.
  • Software Development Kits (SDKs) and tracking tools: Many mobile health apps incorporate third-party SDKs (for analytics, crash reporting, social media integration, etc.). Some of these SDKs have been caught collecting more data than they should, or sending data to unexpected parties. For example, an innocuous library might be transmitting user device info to an ad network unbeknownst to you. This creates hidden privacy issues. - International transfers via vendors: Your company might be based in one country, but your vendors might store data on servers around the world. If a vendor moves EU personal data to the US and you didn’t put SCCs in place, that’s a violation. Similarly, if an Indian law prohibits sending data to X country and your vendor does it, you both are in breach.
  • Incident response and accountability: If a vendor suffers a breach, will they even tell you in time for you to meet your notification obligations? Your contract should require it, but smaller vendors might not have mature incident detection, so you could find out long after the fact.

All these risks mean that vetting and managing suppliers is as important as securing your own systems. Health tech organisations should implement a vendor risk management programme that at minimum:

  • Inventories all third-party providers and tools in use.
  • Assesses the data they handle and the criticality of the services they provide.
  • Checks contracts, Data Processing Agreements (DPAs) or business associate agreements that impose security, confidentiality, and cooperation duties have been put in place and that they include provisions such as: the vendor must implement specific security controls, must notify you within X hours of any breach, must not sub-contract without approval, must assist in DPIAs or audits, and will delete/return data upon termination.
  • Conducts privacy/security due diligence before onboarding a vendor, and periodically (e.g. annually or when renewal comes up). This might involve sending them a questionnaire or reviewing their compliance attestations (ISO certs, SOC2 report, etc.). If a vendor will be handling extremely sensitive data, you might even consider a third-party audit or penetration test of their platform (or choose a vendor that has publicly undergone such audits).
  • Monitors and limits data sharing by following the principle of least privilege when integrating vendors. Only send the minimum necessary data. For instance, if using a cloud email service to send appointment reminders, do you need to include sensitive medical details in that data transfer? Maybe not – minimise what passes through third parties.
  • Stays aware of fourth-party risk by asking vendors to disclose their sub-processors. Many big cloud companies list their sub-processors online. You may need to approve these or at least know who else is in the chain.

When supply chain weaknesses aren’t addressed, the fallout can be severe. Consider a scenario: your analytics provider suffers a cyberattack and hackers siphon user health data – regulators will come knocking at your door, since you chose that provider. Users will blame your app, not the white-label vendor behind it. Additionally, we’ve seen cases of joint liability where both the primary company and the vendor were fined by EU authorities because both failed in their duties to protect data. And beyond legal impact, a breach via a third party still erodes trust in your brand. That’s why due diligence and robust vendor management are truly part of your core privacy programme, not an afterthought.

Finally, remember that supply chain risk includes not just digital service providers but any partners you share data with. For example, if you share pseudonymised health data with a university for research, you need an agreement and assurance they’ll safeguard it (and not re-identify individuals, etc.). Or if you integrate with a wearable device maker and exchange data, you need to align privacy practices.

In summary, your privacy posture is only as strong as your weakest link. Make strengthening those links a priority by building privacy and security into your procurement and partner selection processes. Health tech users are entrusting their data not just to you but indirectly to everyone you work with – choose wisely and verify consistently.

Worried that you may not have fully appreciated your third-party and supply chain risks? Contact us to find out how we can help.

 

Act now and speak to us about your privacy requirements

Start a conversation about how Privacy Made Practical® can benefit your business.

Click here to contact us.

Back to top