Cloud Security Alliance Releases Third Party Vendor Risk Management Guidance for Healthcare Organizations

Cyber actors are increasingly targeting business associates of HIPAA-covered entities as they provide an easy way to gain access to the networks of multiple healthcare organizations. To help healthcare delivery organizations (HDOs) deal with the threat, the Cloud Security Alliance (CSA) has published new guidance on third-party vendor risk management in healthcare. The guidance was drafted by the Health Information Management Working Group and includes examples and use cases and provides information on some of the risk management program tools that can be used by HDOs for risk management.

Third-party vendors provide invaluable services to HDOs, including services that cannot be effectively managed in-house; however, the use of vendors introduces cybersecurity, reputational, compliance, privacy, operational, strategic, and financial risks that need to be managed and mitigated. The guidance is intended to help HDOs identify, assess, and mitigate the risks associated with the use of third-party vendors to prevent and limit the severity of security incidents and data breaches.

Cyberattacks on vendors serving the healthcare industry have increased in recent years. Rather than attacking an HDO directly, a cyber actor can attack a vendor to gain access to sensitive data or to abuse the privileged access the vendor has to a HDO’s network. For example, a successful intrusion at a managed service provider allows a threat actor to gain access to the networks of all of the company’s clients by abusing the MSP’s privileged access to client systems. This is advantageous for a hacker as it means it is not necessary to hack into the networks of each MSP client individually.

When third-party vendors are used, the attack surface is increased significantly, and managing and reducing risk can be a challenge. While third-party vendors are used in all industry sectors, third-party vendor security risks are most prevalent in the healthcare sector. The CSA suggests that this is due to the lack of automation, extensive use of digital applications and medical devices, and the lack of fully deployed critical vendor management controls. Since healthcare organizations tend to use a large number of vendors, conducting comprehensive and accurate risk assessments for all vendors and implementing critical vendor management controls can be a very time-consuming and costly process.

Please see the HIPAA Journal Privacy Policy

“Healthcare Delivery Organizations entrust the protection of their sensitive data, reputation, finances, and more to third-party vendors. Given the importance of this critical, sensitive data, combined with regulatory and compliance requirements, it is crucial to identify, assess, and reduce third-party cyber risks,” said Dr. James Angle, the paper’s lead author and co-chair of the Health Information Management Working Group. “This paper offers a summary of third-party vendor risks in healthcare as well as suggested identification, detection, response, and mitigation strategies.”

If an HDO chooses to use a third-party vendor, it is essential that effective monitoring controls are implemented, but it is clear from the number of third-party or vendor-related data breaches that many healthcare organizations struggle to identify, protect, detect, respond to, and recover from these incidents, which suggests the current approaches for assessing and managing vendor risks are failing. These failures can have a major financial impact, not just in terms of the breach mitigation costs, but HDOs also face the risk of regulatory fines from the HHS’ Office for Civil Rights and state Attorneys General and there is also significant potential for long-lasting reputation damage.

The CSA makes several suggestions in the paper, including adopting the NIST Cybersecurity Framework for monitoring, measuring, and tracking third-party risk. The NIST Framework is mostly concerned with cybersecurity, but the same principles can also be applied for measuring other types of risk. The core functions of the framework are identify, protect, detect, respond, and recover. Using the framework, HDOs can identify risks, understand what data is provided to each, prioritize vendors based on the level of risk, implement safeguards to protect critical services, ensure monitoring controls are implemented to detect security incidents, and a plan is developed for responding to and mitigating any security breach.

“The increased use of third-party vendors for applications and data processing services in healthcare is likely to continue, especially as HDOs find it necessary to focus limited resources on core organizational objectives and contract out support services, making an effective third-party risk management program essential,” said Michael Roza, a contributor to the paper.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.