The Importance of Third-Party Risk Assessments in Healthcare

November 01, 2021 - Healthcare organizations can have the most sophisticated internal security protocols, but failing to assess third-party risk may leave organizations vulnerable to data breaches nonetheless.

Threat actors are increasingly using third-party business associates as entry points into customer networks. Once inside the network, the malicious hackers may be able to encrypt files, access sensitive health data, and deploy ransomware on any organization that the associate does business with.

Hackers using third-party entities as an attack vector became a very prevalent threat in July 2021, when REvil threat actors launched a ransomware attack against IT management software company Kaseya and compromised the data of over 1,500 of its customers.

According to Jeremy Huval, HITRUST’s chief innovation officer, the Kaseya attack signaled an increase in impactful and frequent supply chain cyberattacks and underscored the need for better third-party risk management procedures.

“Before, a ransomware attack would target one organization and try to negotiate with that one organization,” Huval explained. “But now, with the ease of attacking an IT vendor, hackers can encrypt many organizations at once and potentially negotiate with all of them, so the payout is bigger.”

The healthcare sector, along with most other industries, is increasingly outsourcing core functions and bringing in third-party entities to handle critical data and assist with essential operations. Organizations cannot simply stop working with third-party vendors that provide vital services, so security measures must be in place in order to mitigate risk.

“The solution is to have really tight third-party vendor risk management practices and get reliable assurances about the information protection practices of your vendors,” Huval suggested.

Frequent and comprehensive risk assessments can improve an organization’s security posture, ease the minds of internal and external stakeholders, and prevent costly data breaches.

The importance of thoroughly assessing third-party vendors

“Healthcare, like everybody else, is outsourcing more and more. With the explosion of the cloud, we now have so many more core security practices that we're relying on our vendors to perform,” Huval noted.

A recent report found that public cloud adoption is skyrocketing in most industries, including healthcare. However, the Cloud Security Alliance (CSA) released guidance warning healthcare organizations about the growing threat of ransomware in the cloud.

The public cloud has a reputation for being very secure, but CSA warned that if ransomware-encrypted data enters the synchronization process, cloud applications could become complicit in spreading malware.

The HIPAA Privacy Rule requires covered entities to obtain assurances from all business associates that handle protected health information (PHI). Business associates must effectively safeguard any PHI they receive or create on behalf of the covered entity. Business associate agreements (BAAs) essentially hold business associates with access to PHI to the same standards as covered entities when it comes to protecting patient data.

However, even if organizations do not give business associates access to health data, it is crucial to assess all third parties and their security practices thoroughly and frequently.

“If you're giving them any covered data, you've got to understand how they're protecting that data and how they're using that data. There are inherent risks associated with how that data is used,” Huval continued.

Recent research found that while 82 percent of surveyed IT and security professionals across all sectors reported recognizing that third-party threats exposed their organizations to risk, only half said that their organizations actively prioritized those risks.

Respondents estimated that their organizations would share over 40 percent of critical data with third-party entities over the next five years. Survey results indicated that many organizations fail to sufficiently assess third-party risk, leaving them vulnerable to cyber incidents.

“Organizations struggle to manage third-party risk programs for various reasons, but one of the main challenges is a slow and cumbersome assessment process,” the research explained.

“Assessments are typically lengthy to complete and often lack the critical information necessary to make a sound decision on vendor suitability.”

However, there are many paths that organizations can take to complete third-party risk assessments, and not all are equally burdensome. It is crucial to take the time upfront to assess third parties before entrusting them with sensitive data.

Determining what type of assessment is right for your organization

Not all third-party risk assessments are created equal. Organizations should consider the risk level associated with each vendor on a case-by-case basis.

“Once you have a good picture of the inherent risk of that vendor, you've got to pair assurance requirements to the proper inherent risk categorization,” Huval advised.

“For example, if I have a very critical rank vendor and I give them 80 percent or 100 percent of my organization's covered data, it would be inappropriate to just give them an information security questionnaire once a year and not follow up.”

Some vendors may not require more than a thorough self-assessment questionnaire. Typical self-assessment questionnaires quantify a third party’s IT security posture and cyber hygiene through a series of standard questions.

But vendors that house a large percentage of critical data should be assessed more rigorously, ideally by an independent assessment agency.

“If I get self-assessment questionnaire from someone that maybe they spent 30 minutes on, it's going to tell me certain things. But I'm only able to rely on it so much because it has its limits,” Huval reasoned.

HITRUST recently announced additions to its portfolio to cater to a variety of assessment needs. The Basic Current State (bC) Assessment is HITRUST’s version of a self-assessment that uses AI to identify errors and omissions.

The Implemented One-Year (i1) Validated Assessment serves as a best practices assessment and is recommended for organizations that need a baseline risk assessment or for situations of moderate risk. The portfolio also includes the HITRUST CSF Validated Assessment, soon to be called the Risk-based, Two-Year (r2) Validated Assessment, an industry standard assessment that helps organizations assess risk relating to regulatory compliance, data volumes, and other risks.

Regardless of what methods healthcare organizations use to manage third-party risk, organizations should use assessments to “understand where their weaknesses are and help them build a roadmap to strengthening their information protection programs and remediating whatever might have come out of that assessment,” Huval suggested.

Internally, healthcare organizations should practice proper cyber hygiene and improve cyber resilience by implementing technical safeguards and educating employees about cybersecurity best practices.