May 02 2023

4 Tips about Third-Party Risk Management in Healthcare

This strategy requires managing risk where providers may have little control.

Outsourcing has been a near-universal strategy for IT teams in every industry, and healthcare is no exception. From cloud-based data centers to outsourced call centers, these solutions allow teams to focus on supporting care delivery and leave nonstrategic IT tasks to specialists.

Though outsourcing can save money and deliver better service, it also means that players outside of your organization will be handling sensitive data and connecting to your network, making them a part of your security and risk management program.

Dealing with this responsibility means considering the risk that third parties pose. Third-party risk management shares some aspects of traditional risk management but also requires managing risk where you may have very little control. Here are four ways you can strengthen your TPRM.

Click the banner for access to exclusive HealthTech security content and a customized experience.

1. Create and Maintain an Inventory of Partners

It seems obvious, but before you can manage the risk, you must identify it. That means identifying the third parties that may present a risk of data breach, compliance failure, unauthorized disclosure or system failure. When IT is managing the relationship, that makes it easy. However, the presence of shadow IT means that you may need to cast a wider net. Your purchasing department can be a key ally here, since most third parties are being paid. 

However, don’t think that outsourcing is the only game in town. Software suppliers, even open-source ones, and on-premises Internet of Things devices must be included. If your environmental systems are all dependent on cloud-connected thermostats, what risks are you taking on if you can no longer control heating, ventilation and air conditioning in patient care areas?

2. Treat TPRM as an Ongoing Relationship

Cloud Software as a Service and Infrastructure as a Service providers will claim to have fully baked and experienced security programs that can feed into your own risk management. In reality, SaaS and IaaS have moved at the speed of the internet, and there’s still progress to be made in fully integrating with customers’ TPRM programs. 

Everyone is learning and gaining experience, which means that you need to keep in touch with your major partners to understand what’s changing on their end and how they are maturing and evolving their own security and risk management programs

An important step here is to prioritize third parties: Identify the ones that present the biggest potential exposure and focus on those vendors, keep channels open, schedule annual workshops to learn what’s new and make sure that you fit in the big rocks first. 

Realize that third parties are already prone to feel questionnaire fatigue, which means you’ll get real answers and real insights only when you engage directly.

EXPLORE: Five network monitoring mistakes and how to fix them with zero trust.

3. Holistically Integrate TPRM into Your Security Strategy

Healthcare uses the term “holistic” to define a more complete way to deliver patient care. Use some of these holistic principles and treat TPRM as just another flavor of risk management. Don’t consider third parties a special case: They need to be fully part of your risk management evaluation, reporting and mitigation plans. 

4. Be Proactive with Monitoring, Analytics and Escalation

Saying “TPRM monitoring is important” doesn’t solve the difficult problem of how to do monitoring, analysis and alerting on a third party’s infrastructure. But just because something is hard doesn’t mean it’s impossible. This will require ingenuity, exploration and even some experimentation as you discover what is available, then integrate it into existing risk management elements, such as your security information and event management system. Be discerning in what you use: Third parties often overwhelm with useless information, making it hard to dig out the useful nuggets.

UP NEXT: Tips for health systems on managing legacy systems to strengthen security.

ThinkNeo/Getty Images

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.