How the Health3PT Council Addresses Third-Party Risk Management Woes

August 02, 2023 - Healthcare third-party risk management (TPRM) is broken, according to the Health 3rd Party Trust (Health3PT) Initiative and Council. The council members would know – each is a healthcare security leader who has seen firsthand the inefficiencies and gaps in TPRM across the sector.

Representing key industry players from dozens of leading organizations, such as Walgreens, UPMC, and Tufts Medicine, the Health3PT Initiative and Council aims to establish TPRM best practices, standardize vendor risk assessments, and create reliable assurance models.

The initiative, founded in January 2023, leverages the knowledge of experienced healthcare CISOs along with industry leaders like HITRUST and CORL to achieve these objectives. Although the initiative is new, the problems that led to its creation are not.

“For almost two decades that I've been in the industry, I've only heard the talk of various challenges within the supplier, vendor, business associates, and third-party ecosystems,” said Shenny Sheth, deputy CISO at Centura Health and Health3PT Council member.

“Third-party risk management became increasingly difficult as more and more health systems had to go to market quickly with new technology integrations and cybersecurity products.”

As healthcare networks get more complex and the number of business associates grows, healthcare must grapple with its TPRM challenges and find standardized, reliable methods for assessing vendor risk at a large scale.

The State of Third-Party Risk Management in Healthcare

Before diving into potential solutions, the Health3PT Council sought to assess the current state of TPRM in healthcare. In July 2023, the council released its first deliverable in the form of the “Health3PT Third-Party Risk Industry Survey.”  

Findings from the independent survey found that 68 percent of surveyed covered entities and 79 percent of business associates believe that current TPRM processes are inefficient and ineffective at preventing data breaches.

This lack of confidence isn’t shocking, considering the majority of the top ten largest healthcare data breaches reported to HHS in 2022 stemmed from third parties. Blind spots in third-party information security include inconsistencies with vendor assessments across enterprises, a lack of resources available to reassess vendors frequently, and an unreasonably high volume of vendor security assessments.

Covered entities also reported frustrations with the excessive turnaround time for assessments and getting vendors to address identified security deficiencies.

On the vendor side, business associates reported dissatisfaction with customer willingness to accept a validated external assessment and the time it takes to handle the variability of questionnaires and audits while juggling compliance complexities.

Overall, the survey showed that both covered entities and business associates feel overwhelmed with the current state of TPRM, sparking resource fatigue across the board.

Health3PT summarized the challenges of TPRM in healthcare with seven key shortcomings:

• No overarching methodology for risk-tiering vendors
• Over-reliance on verbose contract terms
• Extensive and inconsistent questionnaires that try to identify or evaluate control weaknesses
• Limited and inconsistent validation of information collected
• Limited follow-up and resolution of identified gaps
• Point-in-time assessments that are rarely updated
• Limited organization-wide insight into vendor security risk

Sheth corroborated these findings, noting that they aligned with his experience in the healthcare cybersecurity space and highlighting additional challenges.

“I believe the survey results are reflective of the inadequacy and ineffectiveness of the current state of third-party risk management, along with the relationships, the structure, standardization, even laws and rules that feed into the complexity mix,” said Sheth.

At Centura Health, Sheth’s team has four to five people working full-time to manage nearly 15,000 different vendor partners and business associates. But smaller organizations may not have the staffing resources to handle this volume of assessments and vendor relationships, creating additional obstacles.

“Another challenge that I would highlight is the ability to close the gap when dealing with a completed assessment, identifying a third party at high or critical risk. From a cyber and privacy perspective, we are finding that working through remediation steps and reassessment also poses a challenge to the entities,” Sheth added.

“That's where some standardizations and best practices and contractual, concise agreement types and language would do a better job across the industry.”

These survey results, combined with perspectives shared at Health3PT’s recent Vendor Risk Management Summit, informed the council’s next deliverable – a “TPRM Recommended Practices and Implementation Guide.”

Health3PT Recommended Practices

“There should be no debate that third parties pose a risk to the healthcare industry with the potential to compromise privacy and safety,” Health3PT stated in the introduction to its recommended practices guidance.

The guidance goes on to recommend healthcare organizations manage third-party risk by addressing third-party information risk and obtaining accurate, relevant information about the controls used to mitigate those risks.

In an effort to tackle these challenges, the council ratified six recommended practices.

First, the council stressed the importance of implementing concise contract language. Consistent and clear contract language can help organizations clearly communicate and document security characteristics, define ownership and responsibilities, and clarify security and risk management expectations with vendors.

Additionally, the council stressed the importance of implementing a risk-tiring strategy that drives urgent remediation, frequency of reviews, and extent of due diligence.

“It’s the ability to tier vendors from an organizational enterprise resource planning perspective and to manage those operational supply chain risks,” Sheth explained.

For example, organizations may consider the value that the vendor brings to the organization, whether disruptions from that vendor will cause issues in providing care to patients, and other factors to determine how to proceed with risk management actions.

“Understanding each vendor’s inherent risk level allows organizations to assign specific assurance requirements on a vendor-by-vendor basis,” the guide states. “The level of assurance will be set in proportion to the level of inherent risk in the relationship, with higher levels of assurance being required of the highest-risk third parties to create broader and deeper coverage of security expectations.”

The guide also emphasized the crucial nature of obtaining evidence of a vendor’s security capabilities and remediating security issues as soon as possible. What’s more, vendor assessments should not only occur at the beginning of a vendor relationship. Health3PT encourages organizations to reassess vendors and continue seeking new information as security risks emerge.

Other recommended practices focused on metrics and reporting on organization-wide vendor risks and following up with vendors to ensure that security gaps have been addressed.

Overall, the recommended practices encompass a wide range of risk assessment activities that can help healthcare organizations improve their security postures and manage vendor relationships in a standardized way. However, implementation remains a big hurdle to streamlining the TPRM process, Health3PT acknowledged. For that reason, the council provided detailed guidance on navigating the implementation process.

Best Practice Implementation Guidance

For each of the recommended practices, the “Health3PT Implementation Guide” provides steps that organizations can take to build these tips into their security programs. For example, the guidance includes a list of key factors to address in vendor contract language, along with sample contract language that organizations can leverage internally.

Additionally, Health3PT approved HITRUST as the first assurance supplier to support these recommendations. The HITRUST e1, i1, and r2 assessments can provide organizations with key assurances.

Even so, implementing these processes may require significant resources upfront, which some healthcare organizations may simply not have. But even taking incremental steps toward these recommended practices is progress.

“Any investment in this arena has to be commercially reasonable for an organization to sustain its operation and to maintain its supply chain relationships,” Sheth noted.

Sheth is now the CISO of a large health system, but formerly worked as the agency CISO at the Texas Health and Human Services Commission.  

“I, myself, began with a shoestring budget, going to the state legislatures through our leadership at the HHS in Texas every two years to seek funding for a cyber program. And only a portion of it would be allocated to our cyber assurance practice, let alone engineering architecture and security operations that you have to fulfill with those dollars and people,” Sheth noted.

“I believe the message I could give to the community today is to focus on bringing about efficiency by way of leveraging standards and frameworks. HITRUST truly provides that measure and a benchmark in how an organization could go through its own self-assessment and certification cycle.”

Leveraging free frameworks and implementing new practices at a reasonable pace will look different for every organization but can ultimately help healthcare streamline TPRM processes.

For the Health3PT Initiative and Council, this is just the beginning. The group plans to continue to expand its resource library and stay abreast of new tools, technologies, and vendors that can help it achieve its goals of improving TPRM in healthcare.

For example, the initiative recently launched the Health3PT Vendor Directory, which consists of vendors that have obtained various HITRUST certifications. The directory allows organizations to identify vendors that meet their information risk management requirements in order to simplify the vendor procurement process.

“I am very certain that with the help of HITRUST and the Health3PT and our vendor partners, who are integral part of the ecosystem and the healthcare community, we can innovate in this space and bring about standards-based interoperability and automation to exchanging health risk assessment data more seamlessly,” Sheth said.