Getty Images

3 Best Practices For Maturing Healthcare Third-Party Risk Management

Panelists discussed top third-party risk management challenges and best practices at the HealthITSecurity Virtual Summit.

Third-party risk management (TPRM) remains a significant challenge for healthcare organizations of all sizes, as exemplified by the high volume of third-party data breaches reported to HHS in 2022.

As healthcare organizations continue to expand their network of vendors, existing TPRM strategies are falling short, experts at the 3rd Annual HealthITSecurity Virtual Summit articulated during a panel session.

“Our teams are not only being asked to know, internally, what our risks are and how to address them, but now we're asking them to know what our partner's risks are and how specifically to address them in our space, which is considerable,” said Monique Hart, chief information security officer and executive director of information security at Piedmont Healthcare.

“Today, we are looking at poor assessment strategies that don't support actual remediation, long inefficient turnaround times, questionnaires that aren't tailored to the specific environment, inconsistent results from analyst over-reliance on technology or external data, and maybe ineffective, inefficient vendor customer communication. That brings a whole lot of challenges.”

Solving these problems is not easy. That was the consensus from Hart and co-panelists Dee Young from UNC Health, Phil Englert from Health-ISAC, Inc., and Ryan Blaney from law firm Proskauer. Throughout their discussion about TPRM obstacles, the experts offered several best practices for maturing the TPRM process that healthcare organizations can begin adopting today.  

Set Vendor Expectations From the Start

Establishing a strong relationship with prospective vendors from the start is crucial, panelists suggested. A clear and concise contract is a key step in obtaining security assurances and maintaining transparency and collaboration throughout the vendor relationship.

“You should be able to look at your regulations, develop something that's repeatedly usable, and then update it as the industry changes,” Hart noted regarding contract language.

A clear-cut contract will help organizations manage risks upfront and determine if and how the vendor will be interacting with sensitive data.

“Vendor partners often operate in multiple sectors, so they don’t always have an appreciation for HIPAA, and HIPAA is complex,” added Englert, Health-ISAC’s director of medical device security.

As a vendor, gaining a healthcare organization’s trust means having an in-depth understanding of the complex patchwork of security and privacy regulations that impact the sector at the state and federal levels.  

“What I'm also trying to encourage with our vendors, especially our key medical device vendors, is more of a partnership than an adversarial relationship,” said Dee Young, chief information security officer at UNC Health.

Establishing vendor expectations, crafting a concise contract, and maintaining open lines of communication can help healthcare organizations and their vendors collectively manage risk.

Adopt a Risk-Tiering Approach

“Implement a risk-tiering strategy that drives frequency of reviews and the extent of due diligence,” Hart advised. “That is really important, especially around the urgency of remediation and working to reduce redundancy.”

In other words, healthcare organizations should establish a formal risk-tiering process that quantifies the level to which the third party may expose the organization to risk. The higher the risk tier, the more effort it may take to conduct risk assessments and obtain security assurances. Additionally, Hart suggested that organizations develop metrics to relay these risks to the executive team.

“It's one thing to say we have high, medium, and low risk,” Hart said. “It's another thing to say that these are the vendors that have been impacted over the last quarter. This is what it specifically means to our organization. This is how it will impact our employees and our patients going forward, and maybe even our brand.”

Adopting a risk-tiering approach can help healthcare organizations increase the maturity of their TPRM programs as a whole.

“What we're trying to do is mature the life cycle. What I mean by that is, we've gotten very good at managing risk at our front door by doing third-party risk assessments as we are purchasing devices,” Young said.

“However, I think most of healthcare needs to start looking at the lifecycle of that device, that product, or that vendor relationship, and really start assessing. Has their risk profile changed? Have they had a breach that you weren't notified of? Are there more vulnerabilities than you're aware of? That's really where the industry is going, really looking at that entire lifecycle.”

Practice Your Incident Response Plan

Even with a mature TPRM program in place, organizations must remain prepared for the event of a breach. It is crucial to maintain communication with third-party vendors and activate an incident response plan as soon as an incident is discovered.  

“From a legal perspective, hopefully, the client has prepared well in advance of any security incident,” said Blaney, head of the global privacy and cybersecurity group and a partner in the healthcare practice at Proskauer.

“Maybe they have conducted tabletop exercises, and they already have their roadmap of incident response that they can turn to in a moment of crisis when time is of the essence and you’re trying to understand facts quickly.”

The incident response process requires input from internal security, privacy, and legal teams, as well as communication with the vendor that has experienced the incident.

Young noted the importance of tabletop exercises in helping to communicate to leadership how security incidents can impact business continuity and patient safety. With this mindset shift, organizations can be better prepared for the downstream effects of a data breach.

“But even with all that preparation, the reality is that every incident is going to be unique, and it's going to be dependent on the facts and circumstances,” Blaney continued.

As the healthcare sector continues to fall victim to data breaches, new approaches must emerge to meet security demands, both from the healthcare organizations themselves and their third-party vendors.

To learn more about Xtelligent Healthcare Media virtual summits, visit our event page.

Next Steps

Dig Deeper on Cybersecurity strategies