Healthcare organizations must decide what to assess when reviewing a third party's risk posture. A security certification may provide sufficient visibility for some organizations, while others may require a questionnaire or due diligence documentation. Depending on the third party and the organization, there may be a variety of assessment options to consider.
Given these options, how do you know what your organization should evaluate? Let's examine what insights the different options provide and how your organization can benefit from them.
Using Security Assurances to Assess Vendors
Your healthcare organization may decide to accept a vendor's security assurance for review as an alternative to requesting a vendor risk questionnaire. Security assurances provide a quick way to understand your vendor's security posture if it has been authored by an independent and qualified source. Vendors are only certified when an independent third party reviews their security framework and determines their maturity level warrants certification.
Several types of security assurances are available to your organization. Your vendor must provide you with a full report or certificate of certification for each assurance.
Different security assurances include:
- HITRUST Certifications (including the r2 Certification) verify that a third party meets HITRUST Cybersecurity Framework (CSF) requirements. A vendor that meets compliance regulations, such as Health Insurance Portability and Accountability Act (HIPAA) and has a strong security posture may qualify for this accreditation.
- ISO 27001: 2013 is used to demonstrate a vendor's compliance with information security management programs. ISO 27001 isn't specific to healthcare, so it doesn't guarantee that a vendor is HIPAA compliant or adheres to HICP (Healthcare Industry Cybersecurity Practices.) However, it can be used to evaluate the security posture of vendors who are not business associates and do not access, transmit, or store protected health information (PHI) for your organization.
- SOC 2 reports are the most common audit reports used to assess a vendor's security posture. A SOC 2 report is specific to information security and can assess any combination of the 5 Trust Services Criteria – security, availability, processing integrity, confidentiality, and privacy. Most healthcare organizations require a vendor to provide a SOC 2 report that, at a minimum, covers three of the Trust Services Criteria to ensure the vendor has a solid security posture that covers compliance regulations such as HIPAA and General Data Protection Regulation (GDPR ).
Since ISO certifications and SOC 2 reports aren't healthcare-specific, vendors handling PHI or PCI data may have to provide compliance reports. HIPAA Compliance Reports and PCI DSS Reports, such as the Attestation of Compliance (AoC) or Report on Compliance (RoC), provided by a PCI Qualified Security Assessor (QSA), are often included as additional documentation.
Using Questionnaires to Assess Vendors
If a third party doesn't have security assurances or your organization doesn't accept them, healthcare organizations can also conduct a third-party risk assessment. Using a questionnaire, you can evaluate cybersecurity and information security control frameworks. The controls in these frameworks are the basis for the vendor questionnaire.
When creating the basis for your questionnaire, you should look at standard cybersecurity frameworks such as:
- HITRUST Cybersecurity Framework (CSF) which is a healthcare-specific security framework to be used by HITRUST qualified organizations and HITRUST qualified individuals. Whether you can use the HITRUST framework as the basis of your questionnaire depends on your organization's affiliation with HITRUST.
- National Institute of Standards and Technology (NIST) as it can be used to group technical controls into one of the framework's five functions – identify, protect, detect, respond, and recover – and to better understand a vendor's security posture in general security terms. NIST CSF-based questionnaires may not provide detailed insight into a vendor's security practices relating to privacy, supply chain, or those required by HIPAA, PCI DSS, or GDPR.
- NIST 800-53 rev 5 which is the only set of security controls that can provide full visibility into a vendor's security posture and includes a comprehensive collection of security and privacy controls. There are also three new control families included in revision 5 that are not included in NIST CSF or HITRUST CSF: privacy risk management, supply chain protections, and cybersecurity program management.
- CIS Critical Security Controls v8 as it provides a good way to see if security hygiene basics are in place when assessing a vendor and can be used as an alternative to other frameworks that may be too detailed. Suppose you’re evaluating vendors who are not business associates (with access to sensitive data), but still must demonstrate acceptable security measures. In that case, the CIS Controls can be used.
Depending on your organization’s needs and your vendors, there may be a single questionnaire used for all risk assessments. If several questionnaires are created, each can be based on different frameworks.
Due Diligence Documentation to Verify Vendor Controls
In addition to having your vendor complete a questionnaire, you may want to request due diligence documentation to verify that certain controls are in place. When performing due diligence, your organization should request policies and procedures. These might include independent penetration testing reports, the vendor's use of multifactor authentication (MFA) tools, and employee security awareness training. Your organization should also ask for financial reports to confirm the vendor's financial health, ESG policies, and proof of cybersecurity insurance.
Vendor risk assessments may require your organization to review additional policies and procedures that go beyond information security. Due diligence is key to gaining visibility into the risk that your vendor may present to your organization.
Sample due diligence documents include:
- Independent penetration tests (both internal and external systems)
- Multifactor authentication (MFA) requirements
- Employee security awareness training
- Business continuity/disaster recovery/resiliency policies and plans
- Financial reports (including SOC 1 audit reports)
- ESG policy
- Cybersecurity insurance
Knowing what to assess during a third-party risk assessment is key to gaining insight into your vendor's security posture and taking the first step to mitigate the risks to your healthcare organization's security. A thorough assessment of the vendor's security assurances, questionnaire, or due diligence documentation is essential for identifying possible risks and understanding its controls.