Throughout the rapidly changing healthcare environment, health system leaders are increasingly realizing that implementing identity and access management (IAM) protocols is becoming a “must-have,” as security incidents are often caused by unauthorized access or disclosure of information.
But while much of that discussion often centers around knowing and managing the identity of an organization’s own individual users, there are other elements to consider as well—namely, vendor-privileged or remote access users. Indeed, even though a system might maintain control over its employees, third-party vendors come and go—leaving the enterprise open to significant risk. To this end, in a recent Q&A exchange with Healthcare Innovation, Shefali Mookencherry, a principal advisor at consulting firm Impact Advisors, weighs in on the importance of third-party risk assessments and best practices for managing this type of risk.
What do healthcare organizations need to know about conducting third-party risk assessments? Why are they so important?
Cyberattacks are increasing, along with regulatory pressures on healthcare organizations to comply with privacy and security of protected health information (PHI), regardless of whether it is electronic or on paper. Healthcare organizations need to examine their third-party vendors, service providers, and supply chain in order to assess the level of privacy and security risk, make informed decisions, and comply with federal, state, and local laws. Failure to adequately assess third-party and fourth-party risk may expose healthcare organizations to reputational risk, operational risk, cyber risk, government inquiry, increased audits, monetary penalties and criminal liability.
As a whole, how would you characterize the current state of provider organizations’ approaches to third-party risk management? (1 to 10 scale with 1 being totally lackluster and 10 being totally mature)
The current state of provider organizations’ approaches to third-party risk management could be characterized as a 5 out of 10. Many healthcare organizations try to implement a third-party risk management program, but find themselves under organizational pressure to “get things in place quickly” for ease of convenience, speed, politics and impact to revenue. Organizational culture can drive how effective a third-party risk management can be implemented. Some organizations are quite strict on their third-party risk assurance processes while others may be laxer. Regardless of organizational pressures, the risk management department should look to safeguard the organization from third-party risks.
Properly vetting and monitoring these third-party vendors has become a major challenge. What best practices could you recommend for those organizations that are struggling with this?
Here are some best practices organizations can follow:
- Conduct a vendor security risk assessment.
- Establish a policy and procedure that includes alignment with departments and/or staff that are responsible for third-party contracting, business associate agreements and vendor security risk assessment.
- Educate organizational business owners on policy and procedure.
- Establish a governance structure/committee that reviews each business owner’s request to contract with a vendor where PHI is involved.
- Create inventory of all third-party relationships.
- Catalog all cybersecurity risks that vendors could expose your organization to.
- Assess and segment all vendors by potential risks and plan to remediate risks that are above your organization’s risk appetite.
- Establish a rule-based third-party risk management framework.
- Establish owner of third-party management plans and processes.
For smaller organizations—ones that do not have the cybersecurity resources or expertise—can this type of risk management seem insurmountable? What advice can you offer them?
For smaller organizations, it is critical for them to keep their vendor files organized and re-evaluate third-party risks when contracts come up for negotiations or renewal. These organizations should assign a designated person for risk management.
How has the evolving healthcare regulatory environment affected how one can manage third-party risks?
The evolving healthcare regulatory environment stipulates that third-party risks be evaluated, documented, reported and mitigated. Refer to HIPAA Security Rule standard, (§ 164.308(b)(1)). Managing third-party risk has become very important as we move to a more virtual work environment.
Do you have any other comments to offer on this topic?
Risk management practices are only good if people follow them. Most third-party breaches are caused by a failure to enforce existing rules and protocols. Organizations need to be transparent with their vendors about what they expect from them and include expectations in the business associate agreements and/or contracts.
