- Healthcare CISOs have set up a council to develop, recommend, and promote security best practices to bolster IT security throughout the healthcare supply chain.
Founding members of the Provider Third Party Risk Management Council include CISOs from Allegheny Health Network, Cleveland Clinic, University of Rochester Medical Center, University of Pittsburgh Medical Center, Vanderbilt University Medical Center, and Wellforce/Tufts University.
Healthcare organizations rely on a plethora of vendors of all sizes for support, including processing and maintaining data, providing analytics, and performing operational tasks. Vendor security is one of the biggest risk for healthcare organizations and one of the biggest sources of frustration for CISOs.
To address this challenge, the council is working with the Health Information Trust Alliance (HITRUST) to improve third-party vendor security. The HITRUST Common Security Framework (CSF) will serve as the security standard for the council.
HITRUST CEO Daniel Nutkis told HealthITSecurity.com that 80 percent of hospitals and insurance companies use the HITRUST CSF, as well as pharmacy benefit managers, pharmaceutical companies, and smaller providers.
The HITRUST CSF assurance program is used by healthcare organizations and by third-party vendors to evaluate and communicate their privacy and security posture.
The assurance program helps organizations understand and report their effectiveness against other standards and cybersecurity frameworks. With one assessment, organizations can view their privacy and security program against the HIPAA Security and Privacy Rules, NIST Cybersecurity Framework, the EU’s General Data Protection Regulation, ISO 27001, PCI DSS, AICPA Trust Services Criteria, and SOC 2.
There are “many risks and threats to patient privacy and PHI,” particularly from the healthcare supply chain, Wellforce CISO Taylor Lehmann told HealthITSecurity.com.
Lehmann said healthcare organizations need to be more proactive in assessing and monitoring third-party risks to patient information.
The council decided to incorporate the HITRUST CSF because it is the “best” for safeguarding sensitive information and managing information risk throughout the third-party supply chain, he said.
Lehmann related that the next step for the council is to develop guidelines and identify vendors for inclusion in the council’s program. The council plans to develop a risk ranking for vendors who might present security risks.
Earlier this year, HITRUST launched a certification program for the NIST Cybersecurity Framework that makes it easier for security teams to report on their implementation of the framework to upper management, business partners, and regulators.
“Our patients expect us to not only deliver robust healthcare to keep them healthy, but also to preserve the trust they have in us by safeguarding their sensitive data. When our patients’ sensitive data is shared with our third parties, it’s important that we have adequate controls in place. By aligning our third parties’ controls to HITRUST CSF, a leading industry framework that evolves with the changing cyber landscape, our customers feel more confident their sensitive data is in good hands,” said Allegheny Health Network and Highmark Health VP and CISO Omar Khawaja in a release.
Vendor security has been an ongoing concern for healthcare CISOs. David Finkelstein, Chief Information Security Officer at St. Luke’s University Health Network, told HealthITSecurity.com that small vendors can struggle due to a lack of financial resources to invest in security.
“About 80 percent of healthcare vendors are only focused on a niche area of healthcare, such as scheduling or lab results,” Finkelstein noted.
Unfortunately, that means that the vendors don’t often have extra cash to spend on security improvements. It can cost between $30,000 and $40,000 for a vendor to deploy data encryption or antivirus in their system, he noted.
Methodist Le Bonheur Healthcare Director of Information Security Steve Crocker agreed that the small size of many healthcare vendors poses a security problem.
Historically, many healthcare organizations have not focused on cybersecurity issues. As a result, many of these smaller vendors have gained access into systems and data without sufficient security controls. That can leave security teams with a difficult job to manage.
“Some of our projects have been slowed down because now we’re having to go through the additional steps of doing a vendor risk assessment on each and every vendor. But the culture is getting used to [doing a risk assessment] now. It really pays off,” Crocker told HealthITSecurity.com.
The bottom line is that healthcare organizations need to make sure their vendors are looking after their security house as well. Failure to do so could cost organizations money and downtime.