The American Medical Collections Agency (AMCA) experienced a data breach a few months ago; they were compromised from August of last year until March of this year. This breach was big enough that it caused the AMCA to file for bankruptcy. Organizations like Quest Diagnostics, LabCorp, and BioReference Laboratories are on the hook because their patient records were accessed as part of this breach.
In the past few weeks, even more organizations impacted by the breach, including Inform Diagnostics and CompuNet Clinical Laboratories, had to notify patients that their information may have been compromised.
This is a prime example of the risks that healthcare organizations assume when contracting with third-party vendors. Third-party risk is a problem that costs the healthcare industry $23.7 billion a year, and represents the majority of security breaches outside of phishing email attacks. Recent updates of the AMCA breach bring the total number of affected patients to 24.3 million. Events like this are the main reason cybersecurity is so top of mind for healthcare providers.
Challenges for Small Organizations
A recent KLAS-CHIME white paper identifies overarching cybersecurity practices and some subpractices that every organization should focus on to tackle cybersecurity issues. Though larger organizations have a lot of work to do, many smaller organizations remain more vulnerable.
Not surprisingly, smaller organizations in particular struggle with budget concerns and not having the necessary staffing resources. The white paper shows that small organizations are less likely to have a dedicated CISO or board-level committee and sufficient governance. There are many reasons for this, including the fact that these organizations are often in smaller communities that savvy security professionals are less likely to move to.
Other best practices, like network access control (NAC) and multifactor authentication (MFA), are common at larger organizations, but no more than half of the smaller organizations are using these options.
Tips on How to Move Forward, Small or Large
Those same cybersecurity concerns exist as smaller organizations look to manage their third-party risk. Their resource constraints make them less likely to be able to purchase helpful software or to engage a services firm for help. These organizations also have fewer staff members who can manually track and manage third-party risk.
A CISO friend said to me, “You’re never completely secure; it’s all a matter of mitigating risk, lowering your risk scores, and accepting risk. And where you accept the risk, just try to do the best you can to control it.” Healthcare organizations must inevitably work with outside vendors to deliver care, so how can small and large organizations alike take steps to mitigate third-party risk? Below are a few examples of how organizations have addressed this challenge through software, services, and industry initiatives.
Third-Party Risk Management Solutions
Some organizations look to software solutions for help. They can migrate from using Excel spreadsheets for tracking third-party vendors, to solutions that automate the processes of having a vendor fill out a risk assessment and scoring/stratifying vendors based on that risk. These solutions then track all the vendors and where they are in their processes.
But there are limitations to what these solutions can do. One CISO told me, “Nobody is going to come to the market with some fabulous solution for vendor risk management. Vendor risk management is a lot of hard, boring work. It is tracking people, assessing how they manage their program, and assessing how they get their SOC reports. There is no elegant, fancy way to do that. There are tools you can use to rate and aggregate that data, but at the end of the day, there’s not a lot of technology there.”
Another common option is to address third-party risk through professional services firms. Such services can assist already busy IT teams in higher-risk situations like bringing on a new vendor. A CISO noted, “I am augmenting our team’s risk-assessment process; they ask us for help when we do product or company risk assessments when a new vendor is coming in or when we are going to contract with a new company.”
The Provider TPRM Initiative
The Provider Third-Party Risk Management Initiative (TPRM), established last September, seeks to safeguard patient information. Led by the CISOs at leading health systems like Allegheny Health Network, Tufts Medical Center, and Vanderbilt, the initiative has set requirements to effectively manage information security-related risks in their supply chain. If a vendor is not HITRUST certified, these providers will be much less likely to engage with them.
The initiative goes into effect September of 2020, giving vendors two years to go through the HITRUST certification process.
A CISO I recently spoke with shared his thoughts on the Provider TPRM Initiative, saying, “If I can get a vendor to hand us the HITRUST certifications for the products or services we are buying from them, that will reduce our risk assessment needs. We may still need to lean on professional services firms for other things in that risk assessment, but this pretty much eliminates our own questionnaire. That should help our risk assessment process internally and will make things easier on the vendors.
“Vendors get pounded with millions of different spreadsheets to fill out for these risk assessments. That is a big waste of time in the industry for my team and for the vendor’s teams. We are going to put the condition in our vendor contracts that if the vendors hand us HITRUST certification, we won’t put them through risk assessment pain. I think the Provider TPRM Initiative is going to have an impact eventually, but I really don’t know how long that is going to take.”
Looking to the Future
Managing risk is a business imperative, and KLAS will continue to follow how organizations are addressing third-party risk. Several healthcare organizations are at the forefront of these efforts and will pave a trail for others to follow. Will the healthcare industry coalesce around a unified way to manage third-party risk? We’ll have to wait and see, but as one CISO told me, “I’m not afraid to be an early adopter. When it comes to managing risk, I will take a risk to manage risk.”