Getty Images
Healthcare Organizations Deprioritize Third-Party Risk Management
Organizations spanning a variety of industries reported being cognizant of third-party risks, but many fail to develop effective third-party risk management practices.
Organizations across all sectors constantly share confidential information with third parties, but current third-party risk management strategies may leave organizations extremely vulnerable to security incidents, according to a study conducted by Forrester Consulting on behalf of CyberGRX.
Researchers surveyed IT and security professionals from the retail, oil and gas, technology, financial services, and healthcare industries and discovered that while organizations recognize third-party risks, many fail to successfully mitigate them.
Over 82 percent of respondents reported recognizing that third-party threats exposed their organizations to risk, only half of respondents said that their organizations actually prioritize those risks. Over the next five years, respondents estimated that their organizations will share approximately 41 percent of critical data with third-party entities.
Organizations that have already been impacted by third-party cyber incidents expressed a higher level of concern about risk management, but they also tend to share more of their critical data with third-party entities than organizations that have never faced a cyber incident.
“Organizations need to approach third-party risk with a new holistic, ecosystem-focused, and cybersecurity-focused strategic mindset,” the study suggested.
“This includes updated third-party assessment analysis, standardized processes, and higher-quality technology solutions.”
Survey results revealed that organizations view third-party risks differently than other types of cyber threats. Current risk management practices are often insufficient in preventing cyberattacks, and many organizations fail to thoroughly assess third-party vendors prior to signing contracts.
“Organizations struggle to manage third-party risk programs for various reasons, but one of the main challenges is a slow and cumbersome assessment process,” the study explained.
“Assessments are typically lengthy to complete and often lack the critical information necessary to make a sound decision on vendor suitability.”
In healthcare, third-party business associates are increasingly becoming targets for cyberattacks. A recent attack on Lehigh Valley Health Network in Pennsylvania exposed protected health information (PHI). Renaissance Life & Health Insurance Company of America also faced a third-party data breach recently that exposed patient information.
Without properly vetting third-party business associates, healthcare organizations may be unknowingly jeopardizing patient information and leaving sensitive data in the wrong hands.
The study recommended that organizations conduct thorough assessments of third-party vendors and leverage all available data to ensure supply chain security. Transparency, communication, and regular risk assessments are crucial to maintaining cyber hygiene in any industry.
“Communication among all parties is a critical piece of third-party cyber risk management. Your protection is only as strong as your weakest link,” the study emphasized.
“Break down existing siloed processes to ensure business stakeholders and IT/risk management decision-makers are in tune with each other. These units operate independently and often make decisions without consulting each other, but a robust security strategy requires consistency and collaboration among these teams.”
Researchers urged organizations to not only recognize the risks associated with engaging with third-party vendors, but to prioritize investments in risk mitigation and prevention.