“Taking control of third-party risk in healthcare”
Data breaches are on the minds of every C-suite executive in healthcare. Third parties (i.e., vendors) with access to organizations’ protected health information (PHI) and/or personally identifiable information (PII) represent a significant risk for data breaches to the organization.
The Information Systems Audit and Control Association (ISACA) defines TPRM as “The process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company.”
Data breaches in healthcare organizations continue to make the front page and the struggles of organizations to get a handle on their third-party risk are well documented. A study conducted by the Ponemon Institute notes, “Despite the number of publicized data breaches throughout the U.S., there continues to be a significant lack of confidence and understanding within companies as to whether their security posture is sufficient to respond to a data breach or cyberattack … Companies also need to do more than depend on business associate agreements to ensure that consumer information is being protected. Business should perform audits and assessments with vendors.”
Most organizations are aware of the information security risk posed by third parties. They also admit their current vetting process is ineffective or non-existent.
Why don’t organizations focus more on TPRM?
Building and maintaining a solid TPRM program can be difficult, time consuming and resource-intensive, especially when starting from scratch. Executives admit to several barriers:
- Some organizations don’t have a complete and accurate list of vendors that have access to sensitive organizational data.
- The prospect of starting a new program or beefing up an existing one without subject matter expertise can be daunting.
- It takes money and people – something that is often in short supply and competing with other priorities.
- There is an assumption that the third party is responsible and is protecting sensitive data.
- Third-party risk is seen as something outside the four walls, so it doesn’t get the priority it deserves.
- There is a lack of perceived value versus the expertise, time and effort required to build and maintain a program.
These reasons, while valid, do not absolve an organization of its responsibility to protect the PHI/PII with which it is entrusted.
Thanks to the HITECH regulation and associated Meaningful Use program, as well as related technology advances over the last 15 years, healthcare is becoming less insular and increasingly interoperable. The dependency on third parties by covered entities to adhere to the regulation and deliver the best coordinated care possible is inextricable, increasing the technical integration requirements, which raises the risk profile greatly.
However, making risk-based decisions on whether to engage a third party require reliable, consistent information related to a third party’s policies, procedures, practices and overall information security risk profile; this is essential for risk mitigation for a healthcare organization.
How can you raise TPRM’s profile in your organization?
To overcome the many perceived barriers to getting started with an effective program, you need a champion. The chief information security officer (CISO) or equivalent leader needs to get the buy-in of the C-suite executives, and together they must evangelize the importance of TPRM for the entire organization, not just the IT department.
Knowing about the risk posed by third parties and appreciating the need to assess and remedy those risks will improve the program’s success rate greatly. These are messages everyone in the organization — from the leadership on down — needs to hear and understand implicitly.
Your organization’s Compliance department needs to be actively engaged; they’re often terrific champions in managing third-party risk. Once a program is implemented, Compliance staff often has ultimate responsibility for enforcing the organization’s adherence.
Any organizational channel that introduces third parties and the associated exposure of PHI/PII needs to be an integral part of a complete TPRM program that includes assessments and monitoring. These channels include department heads (where the vendor relationship often originates) and procurement, legal, contracting and IT/IT security departments, to name a few.
A strong TPRM program is vital to the health of your organization. Understanding the requirements for TPRM and how to create buy-in throughout your organization is critical to creating a strong security posture. Don’t wait until one of your third parties is compromised to begin implementing your own TPRM program.
By Brian Parks, Senior Vice President, Security Services, Intraprise Health