Vendor Risk Management in Healthcare: A Complete Guide to Third-Party Threats

Healthcare Cybersecurity

Third-party vendors are the Achillies heel of healthcare cybersecurity.

As providers have become more aware of cyberthreats, attackers have changed tactics. Rather than attempting to access data from hospitals directly, a growing number of criminals target third-party vendors whose products are integrated within these organizations’ digital ecosystems – and often have less robust security measures in place.

In fact, a recent survey revealed that 90% of serious healthcare data breaches are now tied to vendors, with 55% of entities having experienced a third-party breach in 2022 alone. This has made third-party risk management a growing priority for IT teams within healthcare organizations – but many are still unsure how to combat the problem.

This article offers everything you need to know about third-party risk management, helping you assess your current threat level, enforce vendors to improve their security posture, and protect your organization and patients.

Expect to learn:

  • Why healthcare providers struggle to keep up with third-party risk assessments 
  • What the average data breach costs healthcare providers 
  • How to ensure third-party vendors address their cybersecurity vulnerabilities 

What is Vendor Risk Management?

Vendor risk management (also known as third-party risk management, or TPRM) is the process of assessing and mitigating cybersecurity threats posed by your vendor network. This involves gaining visibility of each vendor’s security posture; establishing how deeply integrated the vendor is into your digital systems; and determining what level of threat this represents for your organization. 

Ultimately, this can lead to a number of actions intended to remediate risk, including: 

  • Informing vendors that they must improve their cybersecurity posture 
  • Changing your relationship with certain vendors to ensure they do not have or limit access to protected data 
  • Cutting ties with vendors that pose too great a risk 

Why is Vendor Risk Management So Important for Healthcare Entities? 

The sheer volume of attacks that come from vendors is enough to justify considerable effort to remediate risk. But there is another important factor to note: healthcare entities are legally responsible for cybersecurity breaches that are caused by their vendors 

However, many organizations do not sufficiently vet or prioritize vendor cybersecurity. A recent survey showed that organizations do not consistently verify their partner’s cybersecurity risk when a contract is signed; 15% don’t even have contractual language for security requirements that must be met before onboarding a new vendor.  

What this means in practice is healthcare entities are often held responsible for breaches not directly caused by their own cybersecurity practices. This can lead to regulatory fines, negative impact on patient care, and lasting reputational damage that could have been avoided with the right vendor management processes. 

How large is the cost? One source claims the average breach costs healthcare entities over $10 million – the highest of any industry. 

cybersecurity-checklist

3 Reasons Healthcare is Vulnerable to Third-Party Vendors 

Worse still, healthcare entities are more vulnerable to cybersecurity threats from their vendors than most other industries. There are several reasons for this, including: 

1. Large vendor networks 

The average healthcare provider uses more than 1,300 separate vendors. This includes everything from supply chain management platforms to software used to store and manage electronic health records (EHRs).  

The effect of this is twofold: 

  • There are more opportunities for vulnerability: It only takes a single vendor to slip up for a breach to occur, which means a larger vendor network increases the likelihood of an attack.  
  • Assessing cybersecurity risk is more difficult: 50% of healthcare providers say they are dissatisfied with their ability to keep up with volume of vendor assessments required to manage third-party risk.

2. Complex or disconnected systems 

Healthcare vendor networks are not just large: they are often managed by multiple different people, teams, or even departments. This creates added complexity when trying to assess the total risk of your network, because there is no single unified place from which to view threats or prioritize remediation.  

A recent survey found that 90% of organizations across all industries are moving toward a centralized approach to third-party risk. But many healthcare entities are likely to lag due to the sheer scope of vendors they use. 

3. Legacy technology 

The complexity of healthcare systems means many include vendors that may no longer be in consistent use. In some cases, these are held as a backup system and therefore still have some utility. But most legacy technologies lay dormant daily and are less likely to have more robust, up-to-date cybersecurity measures in place. 

The net result of these three factors? A large structural vulnerability at the heart of most health organizations’ cybersecurity posture. But fortunately, there are proven methods for fixing these issues and protecting your organization. And these are exacerbated by a handful common problems with standard TPRM processes. 

3 Challenges (Almost) Every Vendor Risk Management Program Faces 

It is time-consuming and difficult to identify and remediate any cybersecurity risk, but TPRM adds an extra challenge: the vulnerabilities are not under your control. You cannot force vendors to run assessments, disclose information, or remediate weaknesses; you must trust them to work with you to solve security problems.  

As a result, your security team must carefully manage their relationship with every vendor delegate. But there are several factors which routinely cause problems in this regard: 

1. Communication Silos 

Most vendor risk programs communicate with dozens of vendors at a time. But most lack a single platform from which to engage with vendor delegates, which leads to process fragmentation, confusion, and may cause information to be lost or stored in the wrong place. 

Even a short delay responding to a vendor may lead them to disengage; equally, your team may get frustrated with unresponsive delegates. Both scenarios cause friction and ultimately get in the way of effective collaboration. 

2. Poor Quality Questionnaires 

Vendor risk management can be overwhelming, and many security teams save time by reusing old questionnaires. The problem is these often include outdated information or questions which don’t apply to the specific vendor. 

This can quickly sour a vendor relationship, as the delegate will feel their time is not being properly respected. Equally, poor questionnaires will not allow the delegate to provide enough information for your team to gain a clear picture of their security posture or make an accurate assessment of what needs to be done. 

3. Slow Turnarounds 

Healthcare cybercrime is constantly evolving, but most vendor risk programs struggle to complete assessments fast enough to keep up. A recent survey found that over 40% of leaders are dissatisfied with their assessment turnaround speed – and a quarter struggle to even get their delegates to respond to assessment requests. 

The net result is a process which often fail to identify and mitigate threats in time, which explains the prevalence of vendor-related attacks. But fortunately, there are proven methods for fixing these issues and protecting your organization. 

4 Steps to Manage Third-Party Vendor Risk 

1. Risk assessment 

The first step is to understand your current risk level. This can be broken into a few sub-tasks: 

  • Map your vendor network to gain a centralized view of your third-party suppliers. This can be done manually using documentation, but it would be easier to use software that can store and visualize data. 
  • Audit your vendors and request they provide documentation of their security processes, certifications, or the results of their most recent security risk assessments (SRAs). 
  • Initiate fresh risk assessments by providing vendors with tools such as compliance checklists. It is important to make clear this is an urgent requirement, as nearly 40% of organizations don’t receive transparent vendor assurances to satisfy their requests the first time.  

Once this process is complete, you should have a clear view of each vendor’s individual risk, the level of immediate threat each vendor presents and the overarching security of your network. 

2. Remediate vulnerabilities 

The next step is to address and fix vulnerabilities discovered during your risk assessment. This can be a challenge: nearly 50% of providers are dissatisfied with their ability to get vendors to address security deficiencies. But there are a few things you can do to accelerate the process: 

  • Make it clear remediation is non-negotiable: You must be willing to replace vendors that don’t meet security requirements – and set clear explicit milestones for those that are in the process of addressing vulnerabilities. 
  • Use established frameworks: HITRUST certification is the perfect example here, as it makes clear the requirements of robust cybersecurity. 
  • Work with consultants: External experts can help produce a corrective action plan (CAP) and manage the process of remediation at a large scale – without draining your resources.

3. Adapt practices 

While you are remediating risk, you should also begin putting policies and procedures into place that ensure you continue to prioritize third-party risk management. This includes: 

  • Verifying vendors’ security posture before signing a contract: You should have clear policies in place to ensure you understand every vendor’s security program before integrating them into your system. Take proactive measures to verify a prospective vendor’s SRA status, security posture, and remediation plan. 
  • Communicating your security standards to existing vendors: Document your cybersecurity requirements in writing so that every vendor is aware of what is expected. This should include not just factors pertaining to their security and remediation efforts, but how often they communicate with you about their changing threats and cybersecurity systems. 
  • Training staff in cybersecurity best practices: Human error causes roughly a third of all cybersecurity breaches. You should ensure both your workforce and that of every vendor you engage with is properly trained to avoid these mistakes. 

4. Continuous monitoring 

Healthcare is a dynamic operational environment and TPRM is not a “one-and-done” challenge. Once you have addressed the most immediate threats to your organization, you need to put into place processes that enable continuous monitoring and improvements to your third-party risk posture. 

For most organizations this is difficult: their data is siloed, their systems are not interoperable, and they rely on manual processes across the board. But Intraprise Health has built a unique solution that not only enables seamless monitoring of vendor risk – it helps you integrate TPRM into your wider cybersecurity systems.  

BluePrint Protect™ empowers you to automate vendor risk management, centralize and visualize enterprise-wide vendor risk, and collaborate across your entire organization and vendor network in real time.   

Complete Third-Party Risk Assessments 3x Faster with Intraprise Health 

Want to see it in action? 

Book a demo.

About the Author
Avatar photo

Scott Mattila, CSO, Intraprise Health

Scott Mattila is the Chief Security Officer at Intraprise Health. He has held leadership positions at some of the country’s most prestigious institutions, and is currently an adjunct professor and serves on the Dean's advisory board at Duquesne University's Rangos School of Health Science. See full bio
Linkedin