How to Approach Third-Party Risk Management
Many health systems are actively working to mitigate third-party risks, but some leaders may not fully comprehend the extent of the threat, says Alex Kaluza, a research analyst with Cloud Security Alliance. Or, he says, they may fail to act due to resource constraints, lack of expertise or the difficulty of managing multiple vendor relationships.
A comprehensive approach to third-party risk management may include vendor risk assessments, clear contract language governing data security, robust authentication and encryption, continuous monitoring and ongoing employee training, Kaluza says.
“Healthcare organizations have a strong motivation to address these risks, given the sensitivity of the data they handle and regulatory obligations they must comply with,” he adds. “There’s a difference between acknowledging the problem and addressing it efficiently, especially considering the complex processes of identifying, assessing and mitigating third-party risk.”
Decker is also chair of the Cyber Working Group for the Health Sector Coordinating Council, a coalition of industry associations that works closely with the U.S. Department of Health and Human Services. The group has made recommendations for practices that mitigate overall cyber risk (such as endpoint protection and IT asset management), as well as risk management practices specific to the supply chain (including rigorous contract practices and ongoing monitoring of third-party solutions). Both sets of practices, Decker says, are critical to protecting healthcare from third-party risks and identifying potential breaches.
Other important practices, as stated under the Health Industry Cybersecurity Practices publication, which was built in partnership with DHHS, include network segmentation; the implementation of robust business continuity and disaster recovery; lifecycle management that ensures third parties do not retain data or access after the end of a relationship; and simply monitoring the news for cyber incidents at suppliers, Decker adds.
“Third-party risk management incorporates everything from two-factor authentication and business impact analyses to data loss prevention,” he says. “These are highly connected ecosystems.”
EXPLORE: Learn how to increase your ransomware recovery capability.
The Cloud and Remote Patient Monitoring Create New Risks
For years, many healthcare organizations were reluctant to adopt cloud solutions due to cybersecurity and data compliance concerns, says ChristianaCare CISO Anahi Santiago.
ChristianaCare includes three hospitals operating in Delaware and portions of bordering states. Although it has become largely impossible for hospitals and clinics to avoid working with cloud vendors, Santiago says, those concerns about introducing new risks into healthcare environments have not gone away.
“The adoption of cloud tools and services has increased exponentially,” she says. “That means we’re relying more than ever on third parties to conduct healthcare and business operations.”
ChristianaCare manages this risk through a mix of contract and assessment work, response plans, and monitoring and security tools, Santiago says. The organization has a “pretty mature” process in place for evaluating third parties, she adds. That process involves collecting policies, procedures, certifications and other documents from prospective partners and then working with internal teams on contractual terms that enforce specific cybersecurity practices.
If a third-party provider is involved in a breach, the organization reaches out to learn if ChristianaCare data was involved and to understand how the vendor knows whether the organization was impacted.
ChristianaCare also relies on tools that include continuous monitoring solutions, threat intelligence tools and contract management solutions.
“As we start to push out more care to the home with things like patient monitoring, that creates even more challenges,” Santiago says. “It’s critical for us to stay on top of third-party risk because a breach can have an effect on a patient’s health and well-being. In the healthcare space, the risk isn’t just about technology.”