Healthcare organizations are finding that vendor risk management is critical to avoiding a reportable security breach.
There are weekly headlines about third-party breaches exposing protected health information (PHI) or disrupting patient care. A 2019 survey of healthcare IT leaders revealed 56% had experienced one or more third-party data breaches in the last two years, causing on average a total of $2.9 million to remediate.
If your supply chain has risks that could impact patient care, PHI data, or critical services - those are your risks as well. So let's look at what a Third Party Vendor Risk Management Program is, how it works, and how to right-size an approach to meet your requirements using industry best practices.
What is Third-Party Risk Management?
Third-Party Risk Management (TPRM), also referred to as Vendor Risk Management, is the process of performing due diligence on suppliers, vendors, and business associates to assure that a partnership will not subject an organization to an intolerable level of risk. Broadly, this process applies to all vendors throughout the supply chain, however this article is limited to assessing third-party cybersecurity risk.
From a compliance perspective, HIPAA regulations require that covered entities perform third-party due diligence as it relates to ePHI, but the Security Rule does not specify exactly how to do it. Beyond HIPAA, a well-rounded risk management program considers more than just systems that could expose PHI. For example, an attack to the availability of a critical system would impact the mission of providing patient care.
How Does a Third-Party Risk Management Program Work?
Developing a cyber TPRM Program is not a siloed process undertaken solely by IT or Information Security teams. As cyber risk is an inherent business risk, input from management, legal, and compliance teams are necessary components. The complexity of the program should fit the organization’s maturity level by requiring enough documentation to perform satisfactory due diligence, while not overwhelming resources and creating a bottleneck effect that can hamper security and/or key procurement initiatives.
A good first step is to create a baseline security questionnaire. At Critical Insight, we routinely receive these questionnaires from customers. They run the gamut from short and concise Q&A spreadsheets to detailed multi-page documents requiring complex responses along with supporting artifacts.
At a minimum, the information requested should provide basic information about the vendor (such as years in business, number of customers, incorporation details), liability insurance levels, and security, compliance, and data protection questions. Ensure security questions address both the type of service being provided and the classification level of data or assets in scope. Where no classification system has been imposed, questions should apply to systems that store, transmit or process sensitive or regulated data such as ePHI, PII and credit card information.
Depending on the type of vendor, the questionnaire might also request details and documentation about security assessments (i.e. SOC2, PCI-DSS), certifications (i.e. HITRUST, ISO 27001), and agreements (such as a HIPAA BAA). This is an area where the security of a vendor can become a reason to choose one over another. So, when you are in procurement, you can save time by asking security questions ahead of time.
What Third Party Cybersecurity Documentation Is Needed?
A solid best practice is to request all relevant vendor-written policies & procedures pertaining to information security, data protection and privacy. The idea here isn’t to perform a detailed compliance analysis of the documents, but to get a sense for how seriously the vendor takes their own security.
Any organization with a mature security posture will have this documentation available and should include information such as Document Owner and a Change Management log, which can demonstrate how often the policy is reviewed and updated (ideally, annually). Some other plans you can ask for that provide tell-tale signs of a mature vendor would be business continuity, vulnerability management, and acceptable use policies.
What about Fourth Party Supply Chain Documentation?
Fourth-party risk is also your risk — so another question I recommend asking vendors is about their own supply chain. Does the vendor rely on a service or platform to process any of your restricted or confidential data? If yes, depending on the criticality of the data in scope, this situation requires further due diligence. This may require reviewing the fourth-party provider’s vendor agreement or Business Associate Agreement (BAA).
Often, that fourth party is a cloud PaaS or IaaS provider who will publish a statement of their “Shared Responsibility Model”, which details their responsibilities to protect data. If gaps in security exist between the forth party’s Shared Responsibility Model statement and the security provided by the third-party being assessed, the additional, unaddressed risk should be considered when deciding on furthering a business relationship.
What’s Included in a Third Party Security Assessment?
For organizations getting started on TPRM, there are a few open-source options available (explained later), but a lighter touch may make more sense. The method we use at Critical Insight covers a couple key requirements:
- An “off-ramp” provision that allows Critical Insight to waive some of the due diligence requirements for organizations that have invested in an independent examination of controls, such as HITRUST certification.
- A “scoring” mechanism to create the underpinning for differential application of policy. For example, a low-scoring organization may NOT have unsupervised remote access. Note that this creates an incentive for third parties to improve their score with time, as well as a way to report internally to executives on the risk represented by business associations.
Briefly, in addition to the aforementioned policies, we ask for the following in order of preference:
- HITRUST certification
- SOC 2 report
- Third-party assessment against a recognized standard, such as the NIST CSF
- A completed questionnaire on internal security controls
For organizations that are serious about Third-Party Risk Management, I recommend an open-source tool from Shared Assessments, Vendor Risk Management Maturity Model (VRMMM). This model functions as a framework for organizations to assess the maturity of their TPRM program and identify areas for improvement. It provides a five-tier maturity ranking, from initial vision all the way through full implementation & continuous improvement and encompasses 8 categories with detailed controls. The VRMMM could be a heavy lift (and expensive) for smaller organizations with limited resources, but it’s worth reviewing and considering.
How Often Should Third Parties Be Assessed?
After the security assessment is reviewed for policy alignment, the vendor is assigned and notified of the score, as well as how the policy will be applied based on that score. This process is repeated annually or upon major changes in the vendor’s infrastructure, such as moving from a hosted model to AWS. Be sure these requirements are described in the vendor agreement or BAA, and ensure all internal stakeholders are aware of why, how, and when third-party vendors are assessed.
Vendor Risk Management is an important part of a robust cybersecurity program, and it’s important to get started now. If a security event is caused by a third party on your watch, you are going to need all of this information to fulfill any post-incident regulatory and audit requirements.
TL;DR – Prioritize Cybersecurity Vendor Risk Management in Healthcare
- Cybersecurity vendor risk management is necessary and required for covered entities and business associates.
- If starting from scratch, develop a baseline security questionnaire with input from management, legal, and compliance.
- Ask about the vendor’s security controls and for supporting documentation such as Policies & Procedures, SOC 2/HITRUST reports, insurance binders, etc.
- Ask about the vendor’s vendors; 4th party risk is a thing.
- Ask about Business Associate Agreements (BAA).
- Consider using your own framework or the Vendor Risk Management Maturity Model (VRMMM) for building out a comprehensive cybersecurity third-party risk management program.