Managing Third-Party Risk in Healthcare

Posted Posted on
managing third party risk in healthcare_blog header

For many industries, it has become common place for services to be outsourced to external organizations, and healthcare is no exception. While this process can be significantly more efficient, this support mechanism entails additional third-party risks which even the most vigilant company cannot always account for.  Whether tasked with managing third-party risk in smaller healthcare facilities or expansive hospitals and research centers, IT and security professionals worldwide face similar challenges when equipped with insufficient tools and processes. In a continuously evolving landscape of security frameworks and risks, effective third-party risk management is quickly becoming a priority. 

Third-Party Risks 

Over the last decade, there has been roughly 2550 healthcare data breaches targeting millions of records. of which, 30% of all the large data breaches target Hospitals, with 34% of all data breaches occurring from unauthorized access or disclosure.  

Let’s look into this more closely… 

Even when security measures are implemented by healthcare institutions, there are still many third parties with access to users’ data. In 2019, a data breach of the American Medical Collection Agency (AMCA), a bill collection service provider, exposed the data of 20 million patients of Quest Diagnostics Inc., Laboratory Corporation of America Holdings, and OPKO Health, Inc.  

There’s more. A research report conducted by Ponemon Institute indicated vendor risks costs $23.7 billion annually. The research also shows that about 72% of the respondents believe that relying on third-party internet-based medical devices is risky. While these statistics may come as a surprise to some, it is evident that third-party risk management can be improved across the industry. 

There are many ways vendors render themselves vulnerable to data breaches, potentially exposing personally identifiable information. Some scenarios are given below: 

  • Poor access control across vendors 
  • Failure to assess risk 
  • Weak data protection controls such as encryption, hashing, etc. 
  • Lack of awareness regarding system activity – leading to delayed breach notifications 
  • Lack of training  
  • Failure for managing change 
  • Failure to implement vulnerability patches 

Now as an Information Security officer responsible for the security and integrity of your organization, how can you go about managing third-party risk as a healthcare provider? 

Third-Party Risk Management 

Third-Party Risk Management (TPRM) is defined by the Information Systems Audit and Control Association (ISACA) as “The process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company.” 

The goal of TPRM is to provide healthcare organizations with a system to perform effective due diligence across their complete vendor ecosystem. A successful TPRM strategy accounts for all current and potential weaknesses in your vendors, suppliers and any additional third party with access to your systems. For developing or improving an existing TPRM, below are some steps you can follow: 

  1. Onboarding – TPRM does not only apply to existing third-party vendors but also to any prospective business relationships. This is usually done with third-party questionnaires to help set expectations and smooth operations going forward.  
  1. Determine Risk Criteria – Determine the risk appetite and risk tolerance of your healthcare institution. Risk appetite is the level of risk your institute is willing to accept. Risk tolerance is the acceptable variations in the performance measures outcome. This is usually measured with PHI security and compliance risks. 
  1. Vendor Classification – Vendors should be classified based on what they are offering to the institute. This helps simplify assessments and enables faster response. It also helps prevent assessment fatigue by reducing the burden on the IS team. The classification also helps narrow down the data that can be accessed by the third parties (law of least privilege). 
  1. Risk Assessment – This can be done on-site or with questionnaires. The first method is more accurate and is recommended for High-risk vendors. 
  1. Addressing the risks – Once an assessment is complete, you should work together with your vendor to derive a corrective action and remediation plan. A system or process should also be put in place to track progress. 
  1. Breach Notification – Timely breach notification can enable recovery of the compromised resources, or prevent further damage and fortify existing mechanisms. You should make sure to add such a clause to the third-party contract or policy. 
  1. AutomationA research study on the impact of TPRM in healthcare conducted by the Ponemon Institute shows that 2/3 respondents believe that current manual processes for risk management cannot keep up with cyber threats, while 63% believe they cannot keep up with the proliferation of digital applications and devices. Automating manual processes and the vendor lifecycle eliminates redundancies and potential error, delivering more accurate risk assessments, faster audits, and reduces the burden of TPRM for healthcare providers. 
  1. Utilize framework for managing Risks and Personal Data – Implementing these mechanisms and controls is one piece of the puzzle, but you also have to show compliance to the security frameworks for demonstrating secure operability of healthcare institutes. These frameworks vary from region to region, and even though it may not be an international requirement, they are recognized and accepted for basic security in healthcare. 

Information Security & Compliance Frameworks 

Information security frameworks and regulations intend to provide a set of best practices for healthcare organizations in order to implement risk-based controls and mitigate cyber threats. The frameworks assist organizations in answering the following questions 

  1. What is our current security posture and gaps? 
  1. What security maturity level we want to achieve? 
  1. What controls do we need to implement? 

The frameworks ensure a uniform security infrastructure is implemented by organizations in order to protect personal health information. Below are some examples of those frameworks. 

Healthcare Information Portability and Accountability Act (HIPAA) 

A well-known US-based framework, HIPAA defines a standardized range of security practices for processing, storing, and transmission of PHI. It applies to healthcare providers, health plan providers, healthcare clearinghouses, and (thanks to HITECH Act) business associates. 

  • The Privacy Rule ensures the protection of PHI and patients’ medical records. It limits the usage and processing of the data and prevents disclosures without the patient’s consent. 
  • The Security rule defines the procedures and standards for the protection of PHI in processing, storage, transmission, or accessibility. 
  • The Transaction rule defines the code sets and transactions to ensure the safety, integrity, and security of PHI. 

HIPAA also has an enforcement and notification rule, that is derived from HITECH ACT, which was implemented in 2009 to further specify requirements of HIPAA. 

The Health Information Technology for Economic and Clinical Health Act (HITECH) 

The goal of HITECH is to develop IT in the healthcare sector. It expanded on the existing rules and laws of HIPAA to fortify healthcare security and ensure stricter enforcement. Some notable rules are: 

  • The enforcement rule contains provisions for compliance, violations, and the imposition of penalties accordingly. It applies to violations that have occurred before, on, or after the compliance date i.e. February 18, 2015. 
  • The breach notification rule specifies that notifications must be issued to all parties covered by HIPAA impacted by a breach within 60 days of its occurrence 
  • The minimum disclosure rule restricts the usage, processing, and sharing of all PHI beyond what was previously allowed by HIPAA. 

Payment Card Industry Data Security Standard (PCI-DSS) 

Most hospitals now provide services for card payment and, therefore must comply with PCI-DSS. It is a widely accepted standard to ensure that companies provide a secure environment for any transaction utilizing the card holder’s information. 

ISO-27001 

It provides a framework for developing and managing an Information Security Management System based on risk assessment. ISO 27001 is applicable to any organization and is considered a gold standard in Information Security best practices. For the healthcare sector, it can be integrated with implementation guidelines like ISO 27799 which is the implementation guideline for 35 controls of the ISO 27001 Annex A. It is relevant for all organizations that offer services in healthcare. 

ISO-13485  

It defines a quality management system (QMS) for medical devices. It ensures that organizations maintain their standards of quality while keeping patients’ data risks in account.  It can be utilized in conjecture with ISO 27001 as some of the clauses are reused. 

NIST-Cyber Security Framework (CSF) 

It is a framework established to enable organizations better understand, improve and manage their cybersecurity risk. It is not specifically designed for the healthcare sector but can be utilized as a cohesive framework for implementing a comprehensive security program. Compared to the heavily regulated HIPAA and HITECH frameworks, it is also considered a “cheat sheet”. 

General Data Protection Regulation (GDPR) 

The GDPR requires companies and businesses to manage any data of citizens in the European Union (EU) countries to ensure its protection and privacy. Personal data in healthcare is referred to as ‘sensitive data’ in GDPR. It mentions three special data types: Data concerning health, genetic data, and biometric data. GDPR also required healthcare sectors to assign the role of Data Protection Officer (DPO) and report security breaches within 72 hours. 

TPRM With StandardFusion 

Managing third-party risk is a key component of a company’s cybersecurity strategy, but often doesn’t get the attention or funding required to develop an effective system. Without the right tools to manage compliance and third-party risk, teams face an uphill battle to efficiently mitigate vendor risks and comply with security frameworks.  
 
StandardFusion is an end-to-end GRC software that automates management processes and the complete vendor lifecycle. As new vendors and frameworks are introduced and the scope of regulations increases, it becomes more difficult to keep track of all the moving parts in your system. Our software streamlines vendor assessments and tracks potential risks from your vendors. Implement a structured program for more accurate assessments, immediate status alerts, and provide total visibility of your system. 

Schedule your demo and see how you can develop a sound third-party risk management program and reduce organizational strain with StandardFusion.