What’s Your Healthcare Third-Party Vendor Risk Management Strategy?
“A substantial portion of people in America” were likely affected by the Change Healthcare breach, said UnitedHealth Group CEO Andrew Witty in the company’s most recent press statement.
The breach and its waves of ongoing impact show us all that cloud cybersecurity measures continue to be extremely critical. The situation makes it clear that healthcare third-party risk management is a proactive PHI protection strategy that can longer be overlooked.
Together with HealthsystemCIO, we held a roundtable to talk it out, bringing healthcare third-party risk management into sharp focus. We discussed exactly how healthcare organizations (HCOs) can bolster their defenses against vulnerabilities introduced by third-party services.
Key Insights at a glance:
-
- Why you need a strict vendor compliance policy – if your vendor can’t demonstrate their security posture for protecting PHI, DO NOT work with them.
-
- Cyber defense is about MDR – in today’s cyber threat landscape, a good offense is better than a good defense.
-
- Don’t leave your security to chance – it’s not worth risking patient safety or your bottom line.
Dive right into the discussion and watch the replay.
Understanding the Complexity of Third-Party Risks
We came out of the discussion realizing something crucial: Reliance on third-party services in healthcare is a double-edged sword. On one hand, these vendor partnerships can drive innovation, efficiency, and better patient care. On the other hand, they introduce a significant vector for potential security breaches and operational disruptions.
It’s a tightrope walk, and it demands a more comprehensive approach to risk management—one that pulls in business continuity, process and data flows, and, most importantly, IT security as a component of overall organizational risk.
The Change Healthcare breach illustrates why organizations need to stop and carefully reevaluate their third-party risks in healthcare cybersecurity – and have their Plan Bs in place now. We all need to be ready to mitigate these vulnerabilities.
The Critical Role of Digital Hygiene and Authentication
A key takeaway from the webinar was the emphasis on fundamental security practices. Notably, the panelists highlighted the importance of hygiene and the implementation of multifactor authentication (MFA). These powerful measures are often overlooked in the broader strategy, yet they form the bedrock of a strong security posture.
Managing account access creates a major hurdle when it comes to third parties. Outside vendors need to access applications, complicating account management and potentially compromising security. Compromised credentials pose a significant threat – and all too often, people don’t realize their credentials have been compromised until it’s too late. Security and IT departments need to carefully monitor account usage, watching out for suspicious activity that could indicate unauthorized access.
Our panelists discussed companies that enforce MFA for all accounts, whether internal or third-party, and restrict direct network access to mitigate risks. Some companies require remote employees to confirm their identity via webcam during password reset requests, a simple yet effective method to ensure the person making the request is who they claim to be.
The Holistic Approach to Risk Management
The conversation repeatedly circled back to the need for a holistic view of risk management. Integrating IT security within the larger risk management framework requires not just technological solutions but also strong executive support and inter-departmental communication. The panelists pointed out the need to involve finance, privacy, and other relevant departments in these conversations for a united front.
As threat actors get more and more sophisticated, the panelists highlighted that cybersecurity isn’t something you just do and expect to work. It’s an evolving strategy that needs regular reviews to be foolproof.
Balancing Security and User Experience
An interesting challenge talked about during the discussion was finding the right equilibrium between securing sensitive data and ensuring a seamless user experience. This balance is pivotal in healthcare, where the stakes include not just data privacy but also patient safety and care quality. The panelists argued for a pragmatic approach, where security measures are weighed against their impact on clinical operations and patient care.
Learning, Automation, and Validation
In an era where threats evolve rapidly, continuous learning and the adoption of automation were pinpointed as critical strategies. Validating identities and automating routine security tasks can free up valuable resources to focus on more complex challenges, enhancing the organization’s ability to adapt and respond to new threats.
Executive Support and Decision-Making
A recurring theme was the indispensable role of executive support in navigating third-party risks. IT decisions, especially those involving risk mitigation measures like shutting down systems or restricting access, require backing at the highest levels. Without this support, even well-intentioned policies can falter under operational pressures or internal resistance.
The Path Forward
The expert panel emphasized that improving security posture and reducing third-party risks in healthcare is not just about adopting new technologies or implementing stricter policies. It’s about fostering a culture of awareness, continuous improvement, and cross-departmental collaboration.
For HCOs looking to strengthen their defense against third-party risks, the insights shared by the panelists provide a valuable blueprint.
How Should Your Organization Manage Third-Party Risk?
-
- Conduct regular inventory of critical workloads.
-
- Tighten controls on support accounts and find ways to apply Multifactor Authentication (MFA) for all accounts.
-
- Elevate discussions about security risks and business continuity plans.
-
- Automate security responses and deploy countermeasures quickly based on threat intelligence.
-
- Practice disaster recovery and business continuity plans for critical systems.
-
- Understand third party integrations and pivot as needed.
-
- Implement continuing education for executive management on limitations of IT and need for business continuity planning.
-
Identify whether your organization has accumulated compliance debt, and identify the operational and financial resources required to achieve continuous compliance.
Additional Questions and Considerations: FAQ
What specific measures are healthcare organizations adopting to monitor and manage the security of their third-party vendors?
It’s a combo of technological solutions and strategic processes. They typically use security ratings services to continuously assess the risk level of third-party vendors. These services provide real-time insights into the security posture of vendors, enabling healthcare organizations to manage risks proactively. Additionally, regular audits and compliance assessments are common practice to ensure that third-party vendors meet the necessary security standards and regulations.
How are healthcare organizations balancing the need for rapid technological adoption with the inherent risks that come from increasing third-party integrations?
Healthcare organizations often employ a risk-based approach. This involves conducting thorough risk assessments before adopting any new technology or third-party service. By evaluating potential vulnerabilities and the impact of a security breach, organizations can make informed decisions about which technologies and vendors align with their security requirements. This strategic approach helps maintain a balance between innovation and security, ensuring that patient data remains protected while embracing advancements that can enhance care delivery.
What are some examples of successful third-party risk management frameworks in healthcare?
Some organizations have developed robust models that integrate comprehensive risk assessments, vendor audits, and continuous monitoring. Your organization may consider a tiered vendor management framework, where vendors are categorized based on the sensitivity and scope of the data they handle. This categorization allows organizations to apply more stringent controls and oversight to higher-risk vendors.
Moreover, these frameworks often include incident response plans and regular training for staff on the importance of third-party risk management, ensuring a well-rounded approach to securing external partnerships.
How do healthcare organizations conduct third-party risk assessments effectively?
Healthcare organizations can perform thorough third-party risk assessments using various methods. It’s crucial to align these assessments with your business objectives. Below are just a few examples:
- Define Assessment Criteria: Establish clear criteria for evaluating vendors, including security measures, compliance with healthcare regulations, financial stability, and reputation
- Use Standardized Frameworks: Employ standardized risk assessment frameworks, such as NIST, HITRUST, or ISO 27001, to ensure a consistent and thorough evaluation process.
- Gather Comprehensive Information: Collect detailed information from vendors through questionnaires, on-site visits, and review of their security policies and procedures.
- Evaluate Security Controls: Assess the effectiveness of the vendor’s security controls, including encryption, access management, and incident response capabilities.
- Assess Compliance: Ensure that vendors comply with any relevant healthcare regulations, such as HIPAA, HITECH, and GDPR, as applicable.
- Ongoing Monitoring: Implement continuous monitoring of vendors to identify any changes in their risk profile and take corrective actions as necessary.
- Review and Update Regularly: Regularly review and update the risk assessment process to reflect new threats, changes in regulations, and lessons learned from past assessments.
What are the key components of a comprehensive third-party risk management program in healthcare?
A comprehensive third-party risk management program in healthcare can include the following:
- Risk Assessment Framework: Consider establishing a structured framework for assessing and managing third-party risks, including standardized criteria and processes
- Vendor Inventory: Maintain an up-to-date inventory of all third-party vendors and their associated risks.
- Due Diligence and Onboarding: Implement a rigorous due diligence process for onboarding new vendors, including security assessments and compliance checks. If a vendor does not meet the necessary security requirements, do not hire them!
- Contract Management: Develop clear contracts that define security requirements, compliance obligations, and the responsibilities of both parties.
- Ongoing Monitoring and Audits: It’s important to conduct regular monitoring and audits of vendors to ensure they maintain adequate security measures and compliance.
- Risk Mitigation Plans: It can be helpful to create and implement risk mitigation plans to address identified risks, including remediation actions and timelines
- Incident Response: Establish an incident response plan that includes procedures for dealing with security incidents involving third-party vendors.
- Training and Awareness: Provide training and awareness programs for both internal staff and third-party vendors to ensure understanding of security practices and regulatory requirements.
- Communication and Collaboration: Foster open communication and collaboration with vendors to address security concerns and ensure alignment with organizational goals
- Continuous Improvement: Regularly review and update the third-party risk management program to incorporate new best practices, address emerging threats, and comply with evolving regulations.
Join the conversation on how we can collectively advance our security posture in the face of evolving third-party risks.
Tune in for the the replay.
Your Data Security Can't Wait.