The COVID-19 pandemic has created an unprecedented impact on the healthcare community in the U.S. and throughout the world. It has forced an entire industry to think differently, innovate and adapt on the fly, and rethink their internal processes to support the spectrum of services they provide.
Long-standing, and seemingly well-established processes for procuring products and services are being reconsidered to meet the immediate and critical demand. Organizations must quickly engage with new third parties (vendors) and/or look to existing third parties for new products and services to respond to the crisis, all the while adhering to the required HIPAA Security and Privacy rules.
Even with the urgent need in the marketplace today for products and services, healthcare organizations cannot ignore third-party risk management (TPRM), which identifies and manages risks posed by third parties that provide software and services.
Read Intraprise Health’s article in the May issue of Security Magazine
The Healthcare Supply Chain
Now more than ever, healthcare organizations are relying on their third-party partners to help address the need. We must remember, however, the risk these third parties pose. In 2019, well over 20 percent of the total documented healthcare breached records were attributed to third parties.
How are organizations addressing the pressing need for technology, goods and services while being mindful of the information security and the HIPAA Security and Privacy rules?
Prioritizing COVID-19 Related Acquisitions
Larger healthcare organizations often deal with hundreds of third-party partners who provide products and services to support their mission. Expediting procurement of COVID-19 related products and services means healthcare systems need to modify their normal process to move more quickly, which may force them to sacrifice attention to detail.
The parties involved in the process – usually Procurement, Legal, IT Security, Compliance and the business owners – must all be on the same page with what that expedited process means.
Contracting must protect the organization as per a normal purchase, but there will be less negotiation over minutia than would otherwise take place.
Pricing also becomes a key consideration. The critical nature of the acquisition may, in fact, justify increased cost – e.g., required inventory and expertise may already be in high demand in the marketplace. The organization can possibly support legitimate elevated pricing, but they must be aware of price gouging.
But along with the urgency to procure a product or service is the need to recognize the potential risk in fast-tracking the onboarding process. When taking on a partner, the organization must have a mutually understood approach to expediting the third-party risk assessment to be successful.
Security Risk Assessments of Third Parties
As organizations rush to expand their operations, set up temporary testing and treatment facilities and secure additional products and services, they must continue to be mindful of the risk they are taking on. It is a tight balance.
A typical TPRM security assessment cycle for a new product or service includes several key steps to ensure that covered information (i.e., HIPAA data) is being properly protected by the vendor. These steps include:
- Reviewing and understanding the desired implementation parameters within the business.
- Ensuring proper HIPAA policies and procedures are in place for the third party.
- Interviewing the appropriate third-party representatives to review the technical implementation, if applicable.
- Completion by the vendor of a questionnaire that can include 200 or more questions.
- Reviewing any third-party certifications, such as SOC-2, HITRUST, ISO 27xxx or other artifacts matched to the questionnaire responses.
- Analysis cycle of all the above to identify risks.
- Creating an assessment report including a description of the product/service implementation and any found risks.
- Formal review by an approval body to move forward with the product or service.
This process often takes four weeks or more to complete, which is simply not tolerable when lives are at stake. Therefore, organizations need a strategy to support the business while ensuring the security of the environment and HIPAA data it is entrusted to protect.
One strategy is to take a minimum standard approach for the security vetting process. The following micro-focused approach will shorten the assessment cycle to hours vs. weeks and make critical products/services available to those in need:
- Review information found on the third party’s public website. If the information is current, it will provide much insight into the product/service and perhaps even the related security program. Larger, well-established third parties are more likely to share this information unsolicited.
- In lieu of a full security program documentation review, cover the majority of the security vetting process via a phone interview with the third party to determine whether they follow good security practices. Get specifics on how they protect covered information.
- If a security certification (SOC-2, HITRUST, etc.) is available, use that in place of a full-fledged questionnaire process. You can ascertain a high level of confidence from a reputable certification.
- Employ a concentrated approval process. This does not mean rubber stamp, but rather empowering a smaller committee, or even a single security-minded individual, to provide an “interim” approval pending a more in-depth security review.
Even when using this expedited approach to security review, there are certain non-negotiables:
- Formal approval is still required to move forward. This should not be taken lightly and should not fall to the assessor by default. This approval holds all the weight and responsibility of a full assessment approval, including its risks, within the organization.
- Secure handling of covered information must be fully understood. It is important to ascertain exactly how patient data will be transmitted, stored and processed during and after the crisis.
- A full assessment is still required but can take place after interim approval. The third party should be aware of this and a target date for full assessment must be set and tracked.
- Any risks identified during the shortened review cycle must be logged and tracked, with remediation targets for the third party.
Maintaining these simple ground rules will support the healthcare organization without significantly exposing it to major security risks as they adapt to this new and challenging situation.
Brian Parks is Senior Vice-President of Information Security Services at Intraprise Health, LLC.