Getty Images
Tackling Third-Party Risk Management (TPRM) Challenges In Healthcare
Third-party risk management (TPRM) is a crucial component of any healthcare organization’s security and compliance programs.
The majority of the top ten largest healthcare data breaches reported to HHS in 2022 stemmed from third-party vendors, signaling a need for better third-party risk management (TPRM) practices in the industry.
However, healthcare security experts know that improving this process is not an easy task. Healthcare organizations are constantly onboarding new vendors and conducting risk assessments in a process that is often manual and very time-consuming.
Current TPRM strategies may need an update as the healthcare vendor ecosystem continues to expand. But before we can improve these processes, it is important to get back to basics. In the following sections, HealthITSecurity will discuss what a third party looks like, dive into ongoing TPRM challenges, and offer some risk management best practices.
What is a Third Party?
“Third-party risk and supply chain risk are really interesting inside of the healthcare space, and that's because of the diversity of the types of third parties and suppliers that healthcare organizations work with,” Alla Valente, senior analyst at Forrester, explained in an interview with HealthITSecurity.
“There's a whole physical supply chain of everything from saline bags to syringes to hospital gowns and all the other things that you need to be able to deliver patient care. Also, healthcare increasingly relies on technology for diagnostics and therapeutics.”
Behind the scenes of any health system, a network of vendor relationships keeps the organization supplied with the materials and technologies they need to care for patients.
In addition to medical device suppliers, cybersecurity vendors, and other services, Valente stressed the importance of “non-traditional third parties.”
“For example, if you are a healthcare organization and you have visiting doctors that are not technically employees, are they third parties?” Valente inquired. “Yes, they are.”
Large hospitals may operate research facilities that employ researchers, post-doctorates, and others who are technically not employed by the organization, but still have access to sensitive data. In addition, nursing students, contractors, and other non-employees all would be considered third parties.
Processes for managing risk relating to non-traditional third-parties will naturally look different than managing vendor risk, but all of these parties must be considered carefully.
Third-Party Risk Challenges in Healthcare
Even as healthcare organizations continue to outsource key functions to third-party vendors, risk management remains a challenge.
In fact, 60 percent of surveyed healthcare organizations admitted that their third-party risk management and compliance strategies could use some improvements, Kiteworks revealed in a 2022 report.
The Cloud Security Alliance (CSA) offered several reasons why TPRM programs may not succeed in healthcare:
- The lack of automation and reliance upon manual risk management processes makes it difficult to keep pace with cyber threats and the proliferation of digital applications and medical devices used in healthcare.
- Vendor risk assessments are time-consuming and costly, so only a few organizations are conducting risk assessments of all vendors.
- Critical vendor management controls and processes are often only partially deployed or not deployed.
CSA noted that the number of vendors that deal with sensitive data has increased, leading to increased complexity when it comes to data stewardship, access management, and other considerations.
At the HIMSS Healthcare Cybersecurity Forum, held in Boston in December, panelists brought up similar concerns, citing the lengthy and time-consuming nature of managing third-party risk assessments on a transaction-by-transaction basis.
Valente pointed to the pandemic as a big catalyst for change in the TPRM space.
“You’re faced with this mass global pandemic and a few things happen. One is all of a sudden you are forced into this digital transformation because you need to be able to deliver patient care virtually, which then adds this other layer of risk exposure,” Valente noted.
“We saw a lot of healthcare organizations rushing to implement technologies to be able to do that without necessarily considering the security and risk implications of it.”
Now, a few years into the pandemic, it is too late to “put the genie back into the bottle,” Valente continued. As healthcare organizations continue to expand their vendor ecosystems, new risks will naturally arise.
“They have much more technology than they ever did because they were forced into this digital space,” Valente reasoned.
“So now you're working with more suppliers, which means that every one of them is a conduit for possible risk exposure.”
Threat actors are not blind to this fact, leading to an increase in third-party data breaches.
Third-Party Risk Management Strategies
“The first thing we need to remember is third party risk management is a life cycle,” Valente said.
“Ideally, as a best practice, the first thing you need to do is have an accurate inventory of all of your third parties— not just the software providers, not just the IT services providers, but really classify them into the technologies, the suppliers, and also these non-traditional ones, because you need to understand where those sources of risks are.”
In addition to maintaining an accurate inventory, Valente recommended that organizations conduct thorough risk assessment prior to signing a contract.
“When we purchase a house, we get to do a walkthrough before we sign, not after, because if there's anything that's wrong with it or it's not as described, we can then either take steps to remedy it or just walk away from the deal,” Valente suggested.
The entire lifecycle of a third-party relationship also includes offboarding and de-provisioning, Valente emphasized. It is important to communicate with security when a nursing student no longer needs access to systems, for example, or when a vendor contract has ended.
Another key component of TPRM is re-assessing vendors. Unfortunately, it can be difficult to revisit existing vendors if teams are already stretched thin with incoming vendor assessments.
Valente recommended that organizations implement continuous monitoring and automation to streamline the process. Monitoring and automation can help organizations prioritize key risk management areas and know which vendors need to be reassessed and when.
As healthcare organizations continue to digitally transform and bring new third-parties on board, TPRM should remain top-of-mind. Improving and streamlining TPRM may take time, but can greatly reduce risk in the long run.
“When we think about cybersecurity, we think of it as in response to something that has happened or perhaps preventative to avoid a breach. But cybersecurity is also strategic in that it impacts patient experience. If I want to go see a provider or if I'm getting a procedure done, I need to be able to trust that you're not going to be sharing my private, sensitive, confidential information,” Valente added.
“By removing that friction, you're ensuring access to life saving care, and that's really important.”