By Jason Stewart, vCISO Manager, Fortified Health Security
LinkedIn: Jason Stewart, HCISPP, ITIL
LinkedIn: Fortified Health Security
Despite the fact that the majority of healthcare data breaches are due to the inadequate security of third-party vendors, the vetting of these partners is still uneven across the industry.
A recent poll conducted by Global Surveyz found that only 15% of the CISOs surveyed felt that they had full visibility into third-party risk management (TPRM). Moreover, 71% of these CISOs admitted that traditional questionnaires create more administrative fatigue than threat visibility.
Most healthcare CISOs review major vendors’ SOC 2 reports prior to contract renewal, but TPRM isn’t part of the bedrock of their Governance, Risk and Compliance (GRC) framework. However, some forward-looking healthcare organizations are now taking steps to integrate TPRM into the governance oversight of procurement contracts.
A mature procurement process should ideally include these steps:
- What business problem are we trying to solve?
- What are our criteria for success?
- Which vendors can provide this solution?
- Out of that pool, which vendor has the best record in data security?
Most healthcare organizations have balked at implementing such a rigorous procurement methodology because it’s time-consuming and resource-intensive. Depending on the size of the organization, it could take anywhere from two to five full-time employees just to do the security vetting of prospective vendors. In addition, rigorous third-party security checks can potentially add 10 to 30 days to the procurement process, a delay that many healthcare organizations find unacceptable.
Streamlining Third-Party Vetting
There’s a growing number of cybersecurity managed security service providers (MSSPs) that can offload TPRM to lighten the burden of overstretched cybersecurity staffs.
These providers typically have sophisticated platforms for continuously assessing the security and technology stacks of hospital vendors, keeping a watchful eye for any evidence of data breaches or lax security.
These TPRM specialists offer time-saving services like:
- Vendor outreach and liaison
- Reviewing and evaluating vendor documentation and assessment results
- Analyzing and documenting security risks
- Defining and communicating corrective action plans (CAPs)
- Providing summary reports and reviews
Healthcare organizations are increasingly outsourcing TPRM because it eliminates the manual processes and man-hours required to assess (and reassess) a multitude of vendors and supply chain associates.
Why Governance Needs To Change
Legal review is now a cornerstone of the hospital procurement process, and it’s baked into an organization’s governance. Attorney review of every vendor contract is mandatory.
The legal team gets to review and redline every vendor agreement. For example, an attorney may wish to add or remove an indemnification clause. There’s usually a cover sheet on the legal review with clearcut determinations: approved, approved with these changes, or approval denied.
Healthcare TPRM reviews need to be just as thorough and mandatory as legal reviews, but that’s not the case today. With rare exceptions, most hospital GRC frameworks check the necessary compliance boxes but don’t require an exhaustive TPRM review. Ideally, TPRM reviews need to be conducted in collaboration with legal, compliance and cybersecurity teams.
For a TPRM review to have real impact, a governance team needs to be able to halt the procurement process if a vendor exceeds the organization’s risk tolerance. Healthcare organizations must be prepared to walk away from a vendor, even if the contract is close to being finalized.
No hospital executive wants to tell his patients, “Oops, we had a vendor who used a subcontractor who used another subcontractor who let your sensitive data leak.” The best way to prevent data breaches and the resulting reputational damage is to make TPRM a governance priority.