Basics of Third-Party Risk Management in Healthcare

In today’s world, many businesses are mobilizing their workforces. More and more services are being outsourced to external organizations, and it’s no different in healthcare. But that process also entails many risks, as even the most careful company often can’t account for every loophole in its vendors’ defenses. That’s why third party risk management in healthcare is absolutely vital for everyone.

Let’s discuss.

 

Basics of Third Party Risk Management in Healthcare

There’s nothing truly “basic” about third party risk management. It’s one of the most intricate and complex methods of cybersecurity any company can employ. It’s also one of the most essential.

Third party risk management, sometimes called “3rd party risk management” or TPRM, is the suite of cybersecurity practices and structures that seeks to identify and mitigate the various vulnerabilities that third parties may pass on to you. Those third parties most often include:

• Clients 
• Vendors
• Partners
• Suppliers
• Contractors

A successful TPRM strategy accounts for all existing and potential weaknesses in the security of vendors, suppliers, and any third party that has access to your digital assets and networks.

Over the course of the following sections, we will break down what it looks like in healthcare by:

• First establishing the key elements of TPRM strategy
• Then specifying how to optimize TPRM for healthcare

It’s important to know how TPRM looks for any company before understanding how to best mobilize it for the specific purposes of a healthcare provider.

But first, let’s address the elephant in the room:

 

Why is Third Party Risk Management Essential in Healthcare?

Because of its vital importance to the country, world, and every person in it.

The healthcare industry is one of the biggest and most profitable in the world. It also harbors some of the most sensitive and valuable information that a hacker can get their hands on—namely, protected health information (PHI). PHI includes but is not limited to:

• Patients’ medical history and records
• Patients’ biographical information
• Patients’ financial information

These vital pieces of data can be used to wreak havoc on both the healthcare providers’ businesses and the very lives of the patients in question. Cybercriminals can engage in outright robbery or fraud, or choose to use sensitive information to exert a ransom.

Together, those factors make healthcare providers and adjacent businesses some of the biggest and most frequently targeted victims of cybercrime. And one of the biggest vectors of attack on healthcare providers is their various third-party vulnerabilities.

In targeted attacks involving third parties that spanned from the middle of 2018 to summer of 2019, hackers were able to compromise the data of up to 20 million Americans. The fact that payment pages were targeted is proof that healthcare companies need better TPRM. 

But what does effective third party risk management in healthcare look like?

 

Assess your Third Party Risk Management

 

How to Implement Third Party Risk Management in Healthcare

Third party risk management in healthcare builds upon the foundation of what it entails for any other industry. Every company should practice diligent TPRM strategizing, whether through internal means or by contracting external support. And while each company needs to find solutions that work for it specifically, there are baseline similarities shared by all TPRM.

Impactful third party risk management comprises two key components:

• Assessment – The gathering and analysis of data related to your third parties’ risks, which enables you to strategize and execute a plan to resolve them.
• Resolution – The implementation of short- and long-term measures to immediately eliminate exposure and safeguard against it moving forward.

Let’s take a deeper look at each, in detail.

 

Third Party Risk Assessment

Here’s where all the planning begins.

In the assessment stage, a company needs to collect information about any and all vendors it works with and that have access to the company’s digital assets and networks. In practice, that means making sure to cover the following bases:

• Identify all vendors, suppliers, and other third parties who access your resources
• Classify third parties according to internal governance and relationship to you
• Assess the landscape of all third party cybersecurity infrastructure
  • Identify both strengths and weaknesses
  • Note both existing and potential vulnerabilities
• Track all changes and to third parties’ cybersecurity, including but not limited to:
  • New hardware, software, or practices added
  • Removal of measures, resources, and personnel
  • Training and company culture regarding security
• Monitor vendors’ compliance with relevant regulatory standards

The most effective way to gather all of this information from your clients is through development and distribution of a…

 

Third Party Risk Questionnaire

The most essential part of the assessment stage, this is where you collect the relevant information from your vendors. Importantly, all self-reported data should also be double-checked for accuracy. Vendors may misrepresent information, intentionally or unintentionally.

Here are the key areas that your questionnaire needs to address, along with sample questions:

• Relationship to the vendor – The first step involves classifying the third party’s relationship to your company’s resources:
  • What is the nature of your relationship to the third party?
  • Does the vendor access your company’s digital assets? Which, and how?
  • Does the vendor access your company’s networks? Which, and how?

• Vendor organization – Then, you must establish information about the vendor’s own governance structures, particularly with respect to IT:
  • What is the chain of command in the vendor’s business? Who’s in charge?
  • Who in the vendor company is primarily responsible for IT decision making?
  • Are any IT services outsourced by the vendor? Which, and to what other party?
  • What particular regulatory standards must the company comply with?

• Vendor cyberdefense – Finally, you need to understand exactly what the vendor’s cybersecurity infrastructure looks like:
  • What overall network or perimeter security measures and practices are in place?
  • Does the vendor employ a zero trust architecture or cloud optimized systems?
  • Are basic practices like firewall protection and multifactor authentication used?
  • How often and thoroughly is employee training on cybersecurity conducted?
  • Does the vendor regularly perform penetration testing and other analysis?

It’s extremely important that the information gathered by your questionnaire is optimized for analysis and strategizing. That means that the information should be uniform and easily categorized. You might consider modeling the language of your questions on existing standards, such as compliance guidelines or security protocols established by bodies like the NIST or CIS.

Having a comprehensive set of data optimized for processing will facilitate the next stage…

 

Third Party Risk Solutions

Here’s where the action happens.

Assessment is only the first part of a successful TPRM strategy. It is arguably the most important part, because it sets the stage for eliminating any risks identified.

It’s vitally important that each company tailors its TPRM strategy to its own particular needs and means. However, there are some basic practices that form the backbone of all TPRM.

In the resolution stage, there are four main processes any company can rely upon:

• Onboarding – Assessment doesn’t only happen on existing vendors and other third parties; it can also be integrated into the process of building a relationship with a new strategic partner. You need to set expectations, ideally using your questionnaire.
• Immediate measures – When assessment identifies a risk, immediate action may be required to minimize exposure. These actions may need to be undertaken during or immediately after the assessment stage:
  • Temporary and indefinite suspension of vendor access to your assets
  • Temporary shut down or heightened security of particular affected networks
• Recovery of resources – Concurrently, any resources that may have been compromised need to be recovered and safeguarded. Per HIPAA, certain parties may need to be notified if a data breach has occurred (see below).
• Repair of defenses – Here, the vendor or other third party in question needs to be notified and must work toward repairing the weakness that created the risk. This process may involve your organization more or less, depending on your relationship with the vendor.
• Long term strategizing – Once the immediate threat of a risk has been resolved, you can decide how to move forward with (or without) the vendor moving forward:
  • Either re-integrate them, using a form of the onboarding process
  • Or, search for and onboard a new vendor to provide the same services
  • In either case, strategize to prevent exposure to risk in future relationships

These general best practices are widely applicable to the TPRM strategy of any company, regardless of industry and scale. And, while they are integral to a healthcare organization’s cybersecurity, there are also other measures necessary to tailor TPRM to healthcare.

 

Optimizing Third Party Risk Management for Healthcare

As we detailed above, healthcare providers have an outsized need for diligent TPRM. To that effect, it’s important to make sure that your TPRM strategy is tailored to your needs.

Right from the top, there’s onboarding. Given the incredible risks related to PHI and all data stored and processed by healthcare providers, onboarding is more important in this field than in any other. It’s not enough to conduct regular assessment of existing clients; instead, clients need to be screened extremely carefully upfront to minimize exposure to risks down the line.

Then, in the assessment and resolution stages, all healthcare professionals conducting third party risk assessment and management need to prioritize compliance. In the healthcare industry, that means two regulatory guidelines in particular:

• HIPAA – The Healthcare Information Portability and Accountability Act was passed in 1996 and first implemented in 2003. It standardized a wide range of security practices with respect to the storage, processing, and transmission of PHI. Four main pillars of compliance for you and your vendors are:
  • The HIPAA privacy rule, which requires specific safety measures that keep patients in control of their own data, disallowing sharing thereof without consent.
  • The HIPAA security rule, which necessitates both specific administrative care and physical and digital security measures wherever PHI is stored or transmitted.
  • The HIPAA enforcement rule, which specifies exactly what will happen in the event that an investigation uncovers a company’s failure to comply.
  • The HIPAA notification rule, which establishes a baseline requirement for notification of parties impacted by a breach. This rule is further specified by…

• HITECH – The Health Information Technology for Economic and Clinical Health Act was implemented in 2009 in order to further specify and strengthen the requirements of HIPAA. It builds on the enforcement rule above:
  • The HITECH breach notification rule specifies that all parties impacted by a breach, including patients, must be notified within 60 days of its occurrence. If more than 500 parties are impacted, the organization must also notify the Department of Health and Human Services within that same timeframe.
  • The HITECH minimum disclosure rule further restricts the usage and sharing of any and all PHI beyond what HIPAA previously allowed. 
  • The HITECH marketing compliance rule limits companies’ ability to sell PHI to marketing companies. Previously, HIPAA had allowed this highly lucrative practice, but HITECH restricts it to only those companies that manufacture medications used by the patients whose data they purchase.

Of course, any and all other regulatory compliance must also be accounted for. Companies that process credit card payments need to be PCI DSS compliant, for instance. And any vendors related to education may need to prove FERPA compliance.

 

Assuring Compliance and Cyberdefense Across Your Healthcare Network with RSI Security 

Here at RSI Security, we’re dedicated to helping healthcare providers with cyberdefense.

RSI Security’s broad suite of compliance advisory services is a one-stop shop for all your (and your vendors’) compliance needs. Our team of experts is well versed in everything from NERC CIP to PCI DSS compliance. Specifically, our HIPAA and HITECH compliance services make us the first and best option for healthcare providers—and your vast array of third parties.

But compliance is just one element of RSI Security’s third party risk management services. We offer robust assistance for every element of TPRM, from the very beginnings of onboarding and assessment to the entire planning and execution of your risk solutions.

To see just how powerful third party risk management in healthcare can be with the help of dedicated professionals, contact RSI Security today.