5 Steps to Managing Third-Party Risk in the Healthcare Industry

Written by the Health Information Management Working Group.

Healthcare organizations are struggling to identify, protect, detect, respond, and recover from third-party or vendor-related data breaches, vulnerabilities, and threat events. The number of third-party vendors that handle sensitive data has grown as the volume and complexity of securing electronic medical data has increased. This poses a significant risk to Healthcare Delivery Organizations (HDOs). As the number of third-party vendors increases, it is essential that HDOs develop and implement a risk management program.

It is advantageous to use a framework such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework to measure, monitor, and track third-party risk. Here are the five stages of the framework:

Identify

Identifying the third-party vendors and prioritizing them based on criticality enables the HDO to focus its efforts consistent with its risk management strategy based on business needs. Implementing processes to identify new third parties and changes to existing third parties is the first step in developing a risk management program. Once all third-party vendors have been identified, the HDO should risk-rank the vendors to identify the criticality of the vendor.

Protect

Protect helps limit the impact of potential events. Included in Protect are assessments. The HDO should require the third-party vendor to complete a security questionnaire. A risk assessment is used to determine the chances of an attack against the third-party vendor and the potential impact a cyber attack could have on its reputation, finances, and business health.

Once the HDO has identified and defined the risk, they must make sure they effectively manage to mitigate the risks. There are four types of risk treatment options:

• Avoid: If a risk is deemed too high, avoid the activity that creates it.
• Transfer: Transfer the risk you take to another party, such as an insurance company.
• Reduce: Risk is transferred to another party when it is not avoidable.
• Accept: There is no option but to accept the risk.

Detect

Detect is developing and implementing the appropriate control and activities to identify cybersecurity events. The HDO should maintain an up-to-date understanding of their third-party risk by establishing a continuous monitoring program. There are numerous benefits to a continuous monitoring program. Here are a few:

• Enables a proactive approach through real-time insight into your vendors
• Provides objective context to prevent human error
• Saves time and resources
• Allows for easy customization
• Allows you to focus on the highest risks

Respond

Respond requires the development and implementation of the activities regarding a detected cybersecurity event. With third-party security incidents growing exponentially, companies must prepare for the worst. You’ve detected a breach in your third party; now what? The most critical thing is to limit the damage of the impact on your organization by activating your response playbook, which should include:

• Shut off access to third parties affected by a cyber attack.
• Determine whether the third-party breach has affected your organization. If it has, conduct a forensic analysis to understand its extent.
• Assess liability from third-party involvement and check contract terms and conditions.
• Mitigate the damage through additional security tasks and tools.
• Communicate to stakeholders what has happened, the impact, and the recovery plan.
• If the incident involves a breach to critical infrastructure, report it to the DHS and to CISA within 72 hours.
• Conduct a root cause analysis to determine how to prevent the incident from reoccuring.
• Document the organization’s response: what worked and what didn’t.
• Have a plan for running services in-house in the event of an incident.

Recover

Develop and implement activities to maintain plans for resilience and to restore any capabilities or services that were interrupted by the event. This supports timely recovery to normal operations and reduces the impact of the cybersecurity event. After an incident is contained, the vendor needs to think through how to return to normal operations quickly.

The key focus of the HDOs third-party vendor incident recovery should be continuing patient care. The HDO should have a team identified to manage the recovery. Once an event has been identified, the team should actively engage vendors to identify alternative sourcing for the service provided by the affected vendor.

There can be breaches that do not shut down services, but disclose the HDO’s data. The HDO needs to assess the breach’s impact and determine what other activities need to be undertaken. Remember, there are reporting and notification requirements at the state and federal levels. The recovery playbook should have these requirements identified.

And don’t forget, communication throughout is VERY important!

To learn more, read Third-Party Vendor Risk Management in Healthcare here.