Due to the extensive personal information in healthcare records, the healthcare sector remains an attractive target for cyber attackers and data breaches. Moreover, third-party vendors with access to personal information, protected health information (PHI) or other valuable data significantly increase that threat. A healthcare organization must ensure that the third parties that support it and its supply chain are carefully assessed, managed and monitored to protect their patients' PII and protected health information. And, effective third-party risk management is critical for reducing the likelihood, occurrence, severity or impacts of cyberattacks and breaches. Not to mention the other myriad of risks that come when using third-party products or services.
Why Third-Party Risk Management?
Healthcare is one of the world's biggest and most profitable industries, so it’s not surprising that PHI is some of the most sensitive and valuable information a hacker can obtain. Cybercriminals use stolen data to commit theft, fraud or to exploit sensitive data for ransom.
The following are examples of PHI:
- Patients' medical history and records
- Information on patients' biographical details
- Patients' financial information
The truth is that healthcare organizations are frequently attacked through their third parties' vulnerabilities.
To combat these issues, today's health organizations must have an organization-wide third-party risk management policy and process to manage third-party risk effectively. That process must be followed by all departments when purchasing products or services, such as a new medical device or electronic medical records software. The policy, processes and activities should be standardized, documented and communicated throughout the organization. But, before you go about designing and executing your policy and process, you must understand why third-party risk management is so vital to healthcare organizations today, who is responsible and when specific activities must occur.
The What of Managing Third-Party Risk
For third-party risk management to be effective, you must first identify the risks to be managed. This can be achieved through the completion of an inherent risk assessment. From there, it’s essential to assess the risks and the third party's controls to mitigate those risks through due diligence. Once due diligence is complete, you can determine the level of risk after controls have been applied; the remaining risk is known as residual risk. If the residual risk is determined to be acceptable, your organization can conclude and execute a contract with the third party.
However, good third-party risk management doesn't stop when the contract is signed. Your organization must continually monitor the vendor to be sure there are no new or emerging risks or performance issues. This process is known as ongoing monitoring and should apply to your vendor until they are terminated.
While these processes sound straightforward, there is much to know and consider to make sure third-party risk management is effective. Let's dive into each of these processes more.
Inherent Vendor Risk Assessments
Whenever a business owner indicates their interest in purchasing a new product or service, it's essential to have them complete an inherent risk questionnaire to define the product and its risk.
Inherent risk questionnaires help your organization identify the risks associated with third-party products or services and determine a rating or level of risk for the third party. Inherent risk questionnaires can also help determine if a specific third party is critical to your operations.
Inherent risk questionnaires should ask whether any sensitive data from your organization or its patients will be accessed, processed, transmitted or stored by a third party. They should also address the level of access the third party will require to your network. Makes sure there are questions about what security assurances the third party currently holds, such as HITRUST or ISO certifications, or independent audits, such as a SOC 2 report. Frameworks such as NIST 800-53 rev 5 outline controls that are High, Moderate and Low in terms of impact levels and could be used to help do this - see NIST's Special Publication 800-53B, "Control Baselines for Information Systems and Organizations," for details. Based on the rating scale used, your organization can assign either a quantitative (numeric) or qualitative (High, Moderate, Low) score to the third party's responses to the questionnaire. Your assessment team can use this score to determine the inherent risks the third party poses to your health organization.
Conducting Third-Party Risk Assessments
Once you have established a risk score, it’s possible to determine what information will be needed to validate appropriate controls. Will you just need to request that the third party share their security certification or is more detailed information necessary? If more information is needed, an expanded vendor risk assessment questionnaire should be sent to the third party to complete. A third-party questionnaire should also follow a standardized framework, such as NIST 800-53 rev 5 or HITRUST, and the documentation and information requested from a third party should always be proportionate to the risk involved. The higher the risks, the more robust the information requests should be. Consider the case where a third party will be transmitting and storing your organization's PHI. In that situation, you should expect the third party to complete all questionnaire sections about information security, network security and privacy. Also ,they should be expected to return documentation supporting the answers provided on the questionnaire. Questionnaire responses can be weighted to help place emphasis on which controls are most important for a third party to have in place.
Performing Third-Party Due Diligence
The due diligence process involves verifying that a third party has certain security practices and controls in place. During due diligence, a health organization may request that the third party provide specific documentation as proof of security controls. This documentation can include information security policies, compliance reports, security certifications, sample security training or testing reports, configuration screenshots and executive summaries of penetration tests or vulnerability scans. Suppose a third party indicated on the questionnaire that specific controls aren't in place. In that case, documentation verifying that compensating controls are used should be requested. A health organization's assessment team will need to collect and review this documentation to verify that the third party is at an acceptable risk posture per your organization's risk tolerance.
Determining Residual Risk
After analyzing the third-party risk questionnaire and the documentation provided during due diligence, it’s time to determine the residual risk of the engagement. Are the existing controls sufficient? Is more needed to bring the risk to an acceptable level? This analysis results in the residual risk of the engagement.
The residual risk formula:
Your organization will need to consider the residual risk carefully. After all, controls should reduce the level of risk a third party's solution would introduce to your health organization. Is the residual risk now acceptable, or do you need more or different controls to reduce the risk to be within your organization's risk tolerance? Any controls your health organization still finds lacking will need to be addressed. Addressing these gaps by either implementing those security controls not already in place or by implementing compensating controls is known as mitigation.
Mitigation may be done by your organization or a third party. Controls can take just a few information security personnel making minor adjustments to how a third party accesses your organization's network. Or, mitigation may take more extensive collaboration among several teams, including information security, IT, and even legal, from both your organization and the third party. Timing is important. Assigning due dates to mitigation plans is recommended to ensure the mitigation is accomplished on time.
In the end, residual risk is either avoided (don't do it), transferred (by moving financial liability to another party via insurance or liability language in a contract), mitigated through the application of controls or accepted.
Execution of the Vendor Contract
The contract you have with your third party is one of the most potent risk management tools you have. Therefore, healthcare organizations must take care to carefully review and negotiate contracts to ensure that all required security and privacy measures are documented within the legal agreement. Service Level Agreements (SLAs) should cover essential items such as breach notification maintenance of security and safety certifications and that the organization retains a right to audit the third party. Other essential provisions such as limits of liability and required insurance types and amounts should also be included in the contract.
Remember that once a contract has been executed, it shouldn’t be merely filed away until time for renewal. The contract must be managed to ensure that all SLAs are met and that the third party performs according to contracted expectations.
When it’s time for renewal, it’s essential to provide ample time for renegotiation or to find a suitable replacement third party if the contract is to be terminated.
Ongoing Vendor Monitoring
Considering the rapidly expanding threat landscape, continuously monitoring a healthcare organization's third parties is essential. Regulations are rapidly changing and cyber attacks evolve and become more sophisticated every day. Monitoring takes two forms, formal periodic reassessment and continuous real-time monitoring, both of which are necessary to manage third-party risk effectively.
It’s essential for healthcare organizations to instill a process that requires third parties with elevated risk to undergo formal risk reassessment and due diligence. The inherent risk questionnaire will be reviewed and updated to capture any new or emerging risks. The third party is required to refresh their risk assessment questionnaire and submit any updated certificates or due diligence documentation. And just like initial due diligence, there must be a formal assessment of controls and residual risk. This process must occur annually for the highest risk third parties. Healthcare organizations must establish and document the intervals and requirements for these reassessments and schedule the reviews accordingly.
Continuous Real-Time Monitoring
New and emerging risks don't follow a schedule, so it’s vital to keep watch over your vendor all the time. While some organizations rely on news alerts about their third parties from search engines, this process has limited effectiveness. Nowadays, many risk alert and monitoring services specialize in monitoring and analyzing a third party's actual risk posture and can alert an organization as soon as negative information is discovered. Healthcare organizations are highly recommended to utilize these services as data breaches and cyber attacks can devastate the business and its patients.
The Who of Managing Third-Party Risk
For a health organization, managing third-party risk involves an organization-wide process that involves individuals from multiple departments. Assessing and managing third-party risks requires participation from your information security, compliance, IT, legal and financial teams as well as those from the third party.
Health organizations with a GRC (Governance, Risk & Compliance) team will often have this specific group conduct vendor risk assessments and oversee the management of third parties. Other health organizations will appoint specific information security analysts responsible for everything third-party-related. Your information security personnel will have the cybersecurity technical knowledge needed to assess security controls and information security policies. Moreover, they’ll be familiar with the healthcare threat landscape and how a third-party solution, such as a medical device, can introduce specific threats to your organization. However, just because the information security department oversees third-party risk management doesn't mean it's the only department involved. Remember, the "who" includes members from several departments and business and system owners.
Those who intend to purchase the third party's services or products are also key players in the assessment and management process. The relationship a business owner has with their third party is essential for effective communications that facilitate the risk assessment process. Risk assessment may even involve third parties hired by the health organization to perform document collection and vendor risk reviews.
Communication is essential regardless of the stakeholder's role in the risk assessment and decision-making process. Assign roles and responsibilities to each process step, then develop procedures for that process. Make sure everyone has a copy of the process and understands what is required of them.
The When of Managing Third-Party Risk
Timing is essential when managing third-party risk and conducting various activities in a specific order. Here is a recap of when to perform specific activities:
Inherent Risk Assessment
- At the beginning of the engagement, before due diligence
- Periodically with intervals determined by the risk of the engagement
- Inherent risk assessments are also recommended when there are regulatory changes, performance issues or material changes in the third party's organization (e.g., merger or acquisition)
Due Diligence and Risk Reassessment
- After the inherent risk assessment has been completed and risks are identified, a risk level or rating has been determined
- Periodically as part of formal risk monitoring and reassessment
- When there are regulatory changes, performance issues or material changes in the third party's organization (e.g., merger or acquisition)
- Due diligence must always be completed before executing or renewing a contract
Contract Execution and Renegotiation
- After the completion of due diligence and the determination that residual risk is acceptable
- Often, contracts need to be signed within a specific timeframe or by a particular date for a discount or end-of-year special to be applied, and typically, if a third party's residual risk isn't within your organization's risk tolerance, you may have to start your search for a new solution all over again (make sure you allow ample time for risk assessment (or reassessment) and completion of due diligence before heading towards contract execution or renegotiation)
- Periodically as part of formal risk monitoring and reassessment
- Continuously by way of negative news alerts, industry news alerts, regulatory changes, and risk monitoring and alert services
There are many types of third-party risk health organizations should be managing, including regulatory, cyber, financial and reputational. However, learning how to manage third-party risk is crucial to making business decisions. Knowing the why, what, who and when of third-party risk management will help your health organization make confident business decisions by gaining transparency into third parties' security practices and help to protect your organization and its patients from unnecessary risk.
How Third-Party Risk Software Can Change Your Vendor Management World
When it comes to managing third-party risk management, we’ve seen it countless times: less mature...
Vendor Risk Management Lessons Learned from COVID-19
Saying 2020 was an unusual year is like saying the sun is hot, the night is long and rain is wet....
Why Is Third-Party Risk Management Important?
Third-party risk management (TPRM), also known as vendor management, can be a complex and...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.