What’s Your Third-Party Vendor Risk in Healthcare?

“A substantial portion of people in America” were likely affected by the Change Healthcare breach, said UnitedHealth Group CEO Andrew Witty in the company’s most recent press statement.

The breach and its waves of ongoing impact show us all that cloud cybersecurity measures continue to be extremely critical. The situation makes it clear that healthcare third-party risk management is a proactive PHI protection strategy that can longer be overlooked.

Together with HealthsystemCIO, we held a roundtable to talk it out, bringing healthcare third-party risk management into sharp focus. We discussed exactly how healthcare organizations (HCOs) can bolster their defenses against vulnerabilities introduced by third-party services.

Key Insights at a glance:

• • Why you need a strict vendor compliance policy – if your vendor can’t demonstrate their security posture for protecting PHI, DO NOT work with them.

• • Cyber defense is about MDR – in today’s cyber threat landscape, a good offense is better than a good defense.

• • Don’t leave your security to chance – it’s not worth risking patient safety or your bottom line.

Dive right into the discussion and watch the replay.

Understanding the Complexity of Third-Party Risks

We came out of the discussion realizing something crucial: Reliance on third-party services in healthcare is a double-edged sword. On one hand, these vendor partnerships can drive innovation, efficiency, and better patient care. On the other hand, they introduce a significant vector for potential security breaches and operational disruptions.

It’s a tightrope walk, and it demands a more comprehensive approach to risk management—one that pulls in business continuity, process and data flows, and, most importantly, IT security as a component of overall organizational risk.

The Change Healthcare breach illustrates why organizations need to stop and carefully reevaluate their third-party risks in healthcare cybersecurity – and have their Plan Bs in place now. We all need to be ready to mitigate these vulnerabilities.

The Critical Role of Digital Hygiene and Authentication

A key takeaway from the webinar was the emphasis on fundamental security practices. Notably, the panelists highlighted the importance of hygiene and the implementation of multifactor authentication (MFA). These powerful measures are often overlooked in the broader strategy, yet they form the bedrock of a strong security posture.

Managing account access creates a major hurdle when it comes to third parties. Outside vendors need to access applications, complicating account management and potentially compromising security. Compromised credentials pose a significant threat – and all too often, people don’t realize their credentials have been compromised until it’s too late. Security and IT departments need to carefully monitor account usage, watching out for suspicious activity that could indicate unauthorized access.

Our panelists discussed companies that enforce MFA for all accounts, whether internal or third-party, and restrict direct network access to mitigate risks. Some companies require remote employees to confirm their identity via webcam during password reset requests, a simple yet effective method to ensure the person making the request is who they claim to be.

The Holistic Approach to Risk Management

The conversation repeatedly circled back to the need for a holistic view of risk management. Integrating IT security within the larger risk management framework requires not just technological solutions but also strong executive support and inter-departmental communication. The panelists pointed out the need to involve finance, privacy, and other relevant departments in these conversations for a united front.

As threat actors get more and more sophisticated, the panelists highlighted that cybersecurity isn’t something you just do and expect to work. It’s an evolving strategy that needs regular reviews to be foolproof.

Balancing Security and User Experience

An interesting challenge talked about during the discussion was finding the right equilibrium between securing sensitive data and ensuring a seamless user experience. This balance is pivotal in healthcare, where the stakes include not just data privacy but also patient safety and care quality. The panelists argued for a pragmatic approach, where security measures are weighed against their impact on clinical operations and patient care.

Learning, Automation, and Validation

In an era where threats evolve rapidly, continuous learning and the adoption of automation were pinpointed as critical strategies. Validating identities and automating routine security tasks can free up valuable resources to focus on more complex challenges, enhancing the organization’s ability to adapt and respond to new threats.

Executive Support and Decision-Making

A recurring theme was the indispensable role of executive support in navigating third-party risks. IT decisions, especially those involving risk mitigation measures like shutting down systems or restricting access, require backing at the highest levels. Without this support, even well-intentioned policies can falter under operational pressures or internal resistance.

The Path Forward

The expert panel emphasized that improving security posture and reducing third-party risks in healthcare is not just about adopting new technologies or implementing stricter policies. It’s about fostering a culture of awareness, continuous improvement, and cross-departmental collaboration.

For HCOs looking to strengthen their defense against third-party risks, the insights shared by the panelists provide a valuable blueprint.

How Should Your Organization Manage Third-Party Risk?

1. • Conduct regular inventory of critical workloads.

• • Tighten controls on support accounts and find ways to apply Multifactor Authentication (MFA) for all accounts.

• • Elevate discussions about security risks and business continuity plans.

• • Automate security responses and deploy countermeasures quickly based on threat intelligence.

• • Practice disaster recovery and business continuity plans for critical systems.

• • Understand third party integrations and pivot as needed.

• • Implement continuing education for executive management on limitations of IT and need for business continuity planning.

  • Identify whether your organization has accumulated compliance debt, and identify the operational and financial resources required to achieve continuous compliance.

Additional Questions and Considerations: FAQ

What specific measures are healthcare organizations adopting to monitor and manage the security of their third-party vendors?

It’s a combo of technological solutions and strategic processes. They typically use security ratings services to continuously assess the risk level of third-party vendors. These services provide real-time insights into the security posture of vendors, enabling healthcare organizations to manage risks proactively. Additionally, regular audits and compliance assessments are common practice to ensure that third-party vendors meet the necessary security standards and regulations.

How are healthcare organizations balancing the need for rapid technological adoption with the inherent risks that come from increasing third-party integrations?

Healthcare organizations often employ a risk-based approach. This involves conducting thorough risk assessments before adopting any new technology or third-party service. By evaluating potential vulnerabilities and the impact of a security breach, organizations can make informed decisions about which technologies and vendors align with their security requirements. This strategic approach helps maintain a balance between innovation and security, ensuring that patient data remains protected while embracing advancements that can enhance care delivery.

What are some examples of successful third-party risk management frameworks in healthcare?

Some organizations have developed robust models that integrate comprehensive risk assessments, vendor audits, and continuous monitoring. Your organization may consider a tiered vendor management framework, where vendors are categorized based on the sensitivity and scope of the data they handle. This categorization allows organizations to apply more stringent controls and oversight to higher-risk vendors.

Moreover, these frameworks often include incident response plans and regular training for staff on the importance of third-party risk management, ensuring a well-rounded approach to securing external partnerships.

Join the conversation on how we can collectively advance our security posture in the face of evolving third-party risks.

Tune in for the the replay.