Sep 06 2023

How to Manage Third-Party Risk in Healthcare Fearlessly

To mitigate the risks associated with third-party providers, healthcare organizations are investing in monitoring tools, drafting incident response plans and carefully evaluating contracts for security provisions.

Risk assessments of third-party providers in healthcare often begin and end with a look at how vendors store and transmit sensitive data. But that’s only one of several potential risks posed by third parties, says Intermountain Health CISO Erik Decker.

Vendors with access to hospital networks through VPN connections or other means present the risk that hackers could “ride” those connections to infiltrate sensitive systems, he says. And successful cyberattacks against vendors that provide mission-critical services — even something as simple as laundry — could severely impact an organization’s operations, whether or not data was breached.

“In healthcare, organizations still focus on data as the primary purpose for conducting a third-party assessment,” Decker says. “But if your third-party scheduling system goes down, that’s not an issue with protected health information. It’s a business operations issue. We need to look through that lens too when we’re thinking about third-party risk.”

Click the banner below to explore zero trust and its benefits for healthcare.

How to Approach Third-Party Risk Management

Many health systems are actively working to mitigate third-party risks, but some leaders may not fully comprehend the extent of the threat, says Alex Kaluza, a research analyst with Cloud Security Alliance. Or, he says, they may fail to act due to resource constraints, lack of expertise or the difficulty of managing multiple vendor relationships.

A comprehensive approach to third-party risk management may include vendor risk assessments, clear contract language governing data security, robust authentication and encryption, continuous monitoring and ongoing employee training, Kaluza says.

“Healthcare organizations have a strong motivation to address these risks, given the sensitivity of the data they handle and regulatory obligations they must comply with,” he adds. “There’s a difference between acknowledging the problem and addressing it efficiently, especially considering the complex processes of identifying, assessing and mitigating third-party risk.”

Decker is also chair of the Cyber Working Group for the Health Sector Coordinating Council, a coalition of industry associations that works closely with the U.S. Department of Health and Human Services. The group has made recommendations for practices that mitigate overall cyber risk (such as endpoint protection and IT asset management), as well as risk management practices specific to the supply chain (including rigorous contract practices and ongoing monitoring of third-party solutions). Both sets of practices, Decker says, are critical to protecting healthcare from third-party risks and identifying potential breaches.

Other important practices, as stated under the Health Industry Cybersecurity Practices publication, which was built in partnership with DHHS, include network segmentation; the implementation of robust business continuity and disaster recovery; lifecycle management that ensures third parties do not retain data or access after the end of a relationship; and simply monitoring the news for cyber incidents at suppliers, Decker adds.

“Third-party risk management incorporates everything from two-factor authentication and business impact analyses to data loss prevention,” he says. “These are highly connected ecosystems.”

EXPLORE: Learn how to increase your ransomware recovery capability.

The Cloud and Remote Patient Monitoring Create New Risks

For years, many healthcare organizations were reluctant to adopt cloud solutions due to cybersecurity and data compliance concerns, says ChristianaCare CISO Anahi Santiago.

ChristianaCare includes three hospitals operating in Delaware and portions of bordering states. Although it has become largely impossible for hospitals and clinics to avoid working with cloud vendors, Santiago says, those concerns about introducing new risks into healthcare environments have not gone away.

“The adoption of cloud tools and services has increased exponentially,” she says. “That means we’re relying more than ever on third parties to conduct healthcare and business operations.”

ChristianaCare manages this risk through a mix of contract and assessment work, response plans, and monitoring and security tools, Santiago says. The organization has a “pretty mature” process in place for evaluating third parties, she adds. That process involves collecting policies, procedures, certifications and other documents from prospective partners and then working with internal teams on contractual terms that enforce specific cybersecurity practices.

If a third-party provider is involved in a breach, the organization reaches out to learn if ChristianaCare data was involved and to understand how the vendor knows whether the organization was impacted.

ChristianaCare also relies on tools that include continuous monitoring solutions, threat intelligence tools and contract management solutions.

“As we start to push out more care to the home with things like patient monitoring, that creates even more challenges,” Santiago says. “It’s critical for us to stay on top of third-party risk because a breach can have an effect on a patient’s health and well-being. In the healthcare space, the risk isn’t just about technology.”


The portion of healthcare IT leaders who say that the number of cybersecurity incidents involving third parties is increasing

Source:, “Third-party risk in healthcare: a continuing crisis,” Sept. 30, 2022

Why Virtual Care Solutions Need Scrutiny to Reduce Risk

The proliferation of third-party technologies adopted by healthcare organizations during the COVID-19 pandemic has exacerbated risk, says Matthew Webb, the former CISO of HCA Healthcare and currently chief product security officer for HealthTrust Purchasing Group.

“Telehealth has grown exponentially, and we’ve also seen caregivers leaving the field due to stress,” Webb says. “Organizations are incorporating tech tools that help them to both provide remote care for patients and bring in more remote workers. There are a lot of newcomers in the third-party space. It’s an interesting time to be in healthcare, and a challenging time.”  

Working with third parties requires healthcare organizations to think about risk in a different way, Webb says. Cornerstone cybersecurity solutions and practices remain important, Webb says, but he notes that contract negotiations and standards alignment are among the most important levers available to healthcare organizations for third-party risk management.

“We negotiate with suppliers, we conduct assessments, we’ve got our list of criteria and our security agreements,” Webb says. “We vet the products and services that the third parties are bringing into healthcare organizations.”

He says that industry standards and networks are critical to helping healthcare IT leaders stay on top of an ever-evolving third-party landscape.

“If you’re trying to bring in more third parties, you can’t keep up with it,” Webb says. “The technology changes so rapidly that even your questionnaire becomes stale.”

READ MORE: Follow these four tips about third-party risk management in healthcare.

Dan Page/Theispot

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT