3 Keys to Third-Party Risk Management at WellSpan Health

November 09, 2021 - Third-party risk management is a crucial tenet of WellSpan Health’s cybersecurity infrastructure. The South-Central Pennsylvania integrated health system engages with thousands of vendors, 30,000 endpoints, and 26,000 users, a fifth of which are non-employees.

Michael Shrader, WellSpan’s director of information security, recognizes the difficulties of protecting patient data while managing internal and third-party cyber threats from all angles.

“Healthcare has always been behind in security. There are a lot of legacy systems and medical devices that are old and can’t be upgraded. So, we have a lot of unique risks that we have to balance in this industry,” Shrader said in an interview with HealthITSecurity.

“It’s hard to explain to people who don’t understand security, which is why it’s hard to get budget for third-party risk management.”

As cyberattacks get more sophisticated and healthcare organizations continue to bolster their internal security practices in response, threat actors are increasingly targeting third-party vendors. The attackers know that third parties may not have the same cybersecurity measures in place, making them an easier access point into a hospital’s network and data.

Third-party risk management strategies vary by organization. Assessing and reassessing vendors, carefully managing employee access, and collaborating with every user in its system are WellSpan’s core strategies for managing third-party risk.

“We want to be a trusted partner in our community,” Shrader explained. “And we have to build that trust by making sure that we can secure their data.”

Onboarding, Assessing, and Reassessing Vendors

WellSpan typically begins onboarding a new vendor by putting it through a technical review to ensure that the vendor fits WellSpan’s model from an integration standpoint. Once the vendor passes the technical review, the team can move on to procurement and contracting.

Depending on the amount and type of data that a vendor has access to, onboarding may look different.

“If the vendor has access to PHI, that’s obviously going to be a much more high-risk vendor. We have to consider operational risk, too. The vendor may not have access to PHI, but if they run our HVAC system in the OR, that’s a different risk,” Shrader suggested.

“We have to make sure that we assess those risks appropriately because if we cut off their access and they can’t fix the HVAC, there could be some serious consequences.”

Conducting independent third-party risk assessments can help healthcare organizations stratify risk and manage access. Whether it is through independent risk questionnaires or full-fledged industry assessments through services such as HITRUST, quantifying the inherent risk of each vendor is imperative to ensuring data security.

“Focusing on what is important to your organization is very helpful to make a successful assessment program,” Shrader advised.

“You can easily drown in data and get spun around trying to find everything. Focus on the data, system access, and operational impacts. You can go deeper after you have answers to those questions.”

Under HIPAA, all covered entities must maintain business associate agreements (BAAs) with third-party vendors that have access to PHI to ensure compliance and security. BAAs hold third parties to the same standards as covered entities in terms of breach management and assurances about PHI responsibility.

“We all have business associate agreements that help us transfer risk. But they are just agreements. There's nothing technically preventing them from doing something wrong with our data,” Shrader warned.

For that reason, healthcare organizations should continually reassess third-party vendors to ensure that they remain in compliance. Shrader said that ideally, health systems should reassess vendors yearly.

It can be helpful to line up vendor reassessments with the health system’s procurement cycle so that before the bill is paid, the vendor has to complete an updated questionnaire. In addition, integrating reassessments with system upgrades is an effective way to make sure that no vendor slips through the cracks.

Employee and Non-Employee Access Management

In addition to third-party vendors, non-employees, such as nursing students, are considered third parties and should be managed as such from a technical standpoint. WellSpan manages approximately 6,000 non-employees, including vendor users, contractors, and students, using SecZetta's third-party identity risk solution.

Managing employee and non-employee access as new people are constantly onboarding and offboarding can be difficult, which is why it is important to limit initial access and continually manage that access throughout the employment lifecycle.

“Employees may transfer within the hospital. So, they are moving from one unit to another, and they need different accesses,” Shrader explained.

User accounts should always have an expiration date due to the fluctuating nature of employment at a healthcare organization. If a contractor or student is with the hospital for a year, they will be granted a year of access. If they are only scheduled to be there for six months, they will be granted six months of access.

As the deadline approaches, WellSpan can reassess whether the access needs to be renewed. Role-based access provides assurances that no employee or non-employee will have access to an unnecessary amount of data. 

“We only want to give access that is absolutely necessary, because we don’t want to expose additional data or system access which could be used to create misconfigurations or access systems inappropriately,” Shrader noted.

“We want to make sure that we build those roles appropriately, and we handle everything in a very consistent manner.”

Collaboration is Key

“It’s a team sport. We have to work together with our vendors to address third-party risk,” Shrader emphasized. “Cybersecurity is not just gatekeeping anymore. We’re not just the people who are saying ‘no’ to things. It’s highly collaborative if you want it to be successful.”

Every user with access to WellSpan’s system is critical to the security of the health systems environment, Shrader continued. Educating employees on cyber risks can be the one difference between a secure system and a data breach that exposes patient information.

Implementing phishing email protections and training employees to be wary of common phishing techniques is one safeguard that can improve an organization’s security posture. Employees are a healthcare organization’s last line of defense and are often seen as easy targets for phishing scams.

Prioritizing third-party risk, implementing technical safeguards, and continually investing in employee education are key tactics to ensuring cyber resilience.

Due to the sensitive nature of healthcare data, the sector is likely to remain a prime target for cyberattacks for the foreseeable future. By collaborating with vendors, non-employees, and employees, healthcare organizations can effectively mitigate threats while maintaining patient trust.