- BOSTON – Healthcare organizations have a range of approaches for assessing and managing the IT security risks posed by third-party vendors, one of the biggest sources of frustration for security teams.
St. Luke’s Health System uses a questionnaire with 240 questions designed to screen out high-risk vendors, Lorraine Bessmer, cybersecurity analyst at the Boise, Idaho-based health system, told a panel at the HIMSS Healthcare Security Forum held here this week.
St Luke’s requires vendors to fill out the questionnaire before a contract is signed.
In the typical situation, the health system has a four-person team to score the questionnaire. A report based on the questionnaire is then sent back to the vendor.
“We are moving to a tiered system, where we look at inherent risk in order to assess whether we should dig deeper. Hopefully, we can do this within an automated system soon,” Bessmer said.
“Ultimately, we want to work with the vendors because we know it’s a relationship that is going to last for a long time,” Bessmer said.
Nick Falcone, chief information security and privacy officer at Philadelphia-based Einstein Healthcare Network, said his team tries to focus its effort on the highest-risk vendors. He uses a short questionnaire with only 20 questions to separate the low-, medium-, and high-risk vendors.
“The questionnaire is designed to determine how mature the vendor’s security program is and whether they know what they are doing,” Falcone said.
“Once you get the initial response from the vendor, you know whether the vendor is good or bad at cybersecurity,” he said.
To determine whether he can trust the vendor’s responses, Falcone includes questions designed to determine whether the vendor tells the truth. “Three years ago I was including a question, ‘Do you encrypt USB devices and how?’, because most people weren’t back then. If someone said they encrypted USB devices, I would follow up asking for a ton of evidence. I would catch about half the people,” he said.
“If the vendor gives me good responses, it is a reputable company, and the risk isn’t catastrophic, I might end the process after the 20 questions. I need to do that in order to spend the time to drill down on those vendors for which I should be building a case to stop the relationship,” he added.
Jane Harper, director of privacy and security risk management at Henry Ford Health System, said that her organization has different questionnaires for different types of third-party vendors.
“The initial communications we send out to the vendor helps us define ‘inherent risk,’ which then determines the level of assessment we do. So, if your inherent risk score is high, we do a certain type of controls assessment,” she said.
In determining inherent risk, her team looks at volume and type of data, previous business relationship, whether the vendor has had a breach, and other factors.
“If we find issues, errors, or problems, we require the third party to give us an action plan, dates for completion, and a point of contact for remediating the issues that we found,” she said.
“We audit our third parties. High-risk third parties get an audit every year, and medium to high-risk third parties, every other year,” Harper said.
“Because we have limited staff, resources, and budget, it is hard to do a robust assessment of everybody. So, we try to weed out high and medium-high risk third parties and focus our attention on them,” she said.
Responding to an audience question about whether vendors should follow a certain standard or get a certain certification, Falcone said that if a vendor can show they have HITRUST certification, “that immediately puts you ahead of your peers.”
Bessmer supported developing one standard to make it easier for vendors to demonstrate their cybersecurity credentials. “I think we should move toward a standard, but the question is which standard … The current situation is not sustainable.”
Harper said that when her team is working with different departments, such as cardiology or pediatrics, “we can’t give them a one size fits all approach ... I’m supportive of being more centralized and standardized, but I realize that there is uniqueness that has be taken into consideration.”
To address this problem, a group of healthcare CISOs have recently formed the Provider Third Party Risk Management Council to develop, recommend, and promote security best practices for third-party vendors.
Founding members of the council include CISOs from Allegheny Health Network, Cleveland Clinic, University of Rochester Medical Center, University of Pittsburgh Medical Center, Vanderbilt University Medical Center, and Wellforce/Tufts University.
The council has adopted the HITRUST Common Security Framework (CSF) as the security standard to assess their vendors.
“By aligning our third parties’ controls to HITRUST CSF, a leading industry framework that evolves with the changing cyber landscape, our customers feel more confident their sensitive data is in good hands,” concluded Allegheny Health Network and Highmark Health CISO Omar Khawaja.