- Whether a healthcare organization hires vendors to process customer payments, store HR data in the cloud or run the IT help desk, you extend your overall cyber risk environment to that of your third party providers. Too often, healthcare decision-makers assume that their vendors’ health data security controls match theirs.
Or, healthcare organization leaders assume that they can rely upon cybersecurity technology solutions to monitor vendor risk. But, that would be a mistake.
Look no further than the Anthem Healthcare and Excellus Blue Cross Blue Shield breaches – both triggered by compromises on the part of third-party vendors – for proof that you’re only as strong as the weakest link in your chain.
These incidents underscore a broader issue which demands more attention from healthcare leaders.
Just 41 percent of organizations indicate that their vendors’ data safeguards and security policies/procedures can sufficiently respond to a breach, according to survey research from the Ponemon Institute. Only 35 percent of survey participants said their organization conducts a frequent review of vendor management policies to ensure they address third-party risk. Even more alarming, 73 percent do not believe a vendor would notify them if the vendor experienced a data breach.
So, should we conclude that the inheriting of your third-party partners’ vulnerabilities amounts to simply “the cost of doing business?”
Unfortunately, too many healthcare organizations have convinced themselves that this is, indeed, the case. But, it doesn’t have to be.
Business associate agreements and cyber risk
Through a carefully conceived and executed vendor risk management program, organizations can minimize exposure to data loss/theft while still pursuing productive partnerships. Because of regulatory mandates brought forth by legislation such as HIPAA, healthcare leaders have increased their awareness and scrutiny of vendors with business associate agreement considerations.
Specifically, they need to verify to their boards that their partners are complying with the same laws which apply to their organization.
But, to elevate your cyber risk posture in a meaningful way, you must go beyond the “check the boxes” approach encouraged by regulatory compliance.
Instead, you have to develop “true risk” profiles of your vendors – the first step in the implementation of a cohesive, holistic vendor risk management program that ensures these relationships won’t increase your risk level. Such a program aligns risk management to strategic goals, maintaining a firm hand over your vendors’ security assuredness while still deriving the same – or better – value-generating outcomes.
For starters, you conduct a thorough classification of all vendors to determine their level of inherent risk. You create a true risk profile that is measurable, one that you can assign a “score” to.
After scoring, you sort out lower-risk partners from higher-risk ones. Then, you turn your attention to the latter, where on-site audits/assessments can be used to evaluate the controls in place to protect your sensitive data. The audits should explore inquiries such as these:
- What does the vendor supply – cloud-hosted software? Data center support? Tech consulting?
- What kind and how much of our data does the vendor store?
- What would be the business impact of the loss or compromise of this data?
- Where is the data stored physically?
- Does the vendor use our computers, devices, hardware, software, etc., or its own?
These inquiries are intended to improve your high-risk partners’ practices so you can eventually document that their data safeguards are operating effectively and they meet your standards, or that any shortcomings are correctable over a brief period of time.
You should consider the true risk profile as a continuous effort, because vendor relationships evolve. Service agreements will expand, so your assessment capabilities must scale accordingly.
You have to constantly monitor these partnerships as terms and deliverables change, to ensure your due diligence stays up-to-date. This doesn’t apply strictly to the vendors who “score high” on risk. Those who come out with strong grades should be subject to continuous evaluation as well – perhaps in the form of a written, follow-up questionnaire, as opposed to an onsite visit.
In either case, you continue to score with residual risk ratings, so your organization maintains total awareness of its entire vendor risk posture at all times. If a high-risk vendor fails to improve upon its score, then you must sever the agreement while strategically aligning with vendors that have earned lower risk ratings. This creates value by minimizing the risk of breaches and data loss, as well as eliminating costly and time-consuming remediation and monitoring efforts that come with higher-risk vendors.
In the modern age, you can’t gain competitive edge without good third-party partners. They deliver on essential needs while your organization focuses on its core competencies/mission.
But, as global market and technology trends seemingly shift with greater velocity every day, you can’t afford to overlook risk management because “it gets in the way of business.”
Thanks to a fully realized true risk profile program, you’ll avoid this scenario entirely. You’ll know which vendors carry the most risk and which pose the least, and expand relationships with the latter while distancing your organization from the former.
Eric Dieterich is the Data Privacy Practice Leader at Sunera, a Cyber Risk Management company.