“A Different Approach”: Why Effective Third-Party Risk Management Means Keeping an Eye on the Past

It’s quite a conundrum.

An estimated 60 percent of data breaches originate from third-party vendors, which often have access to critical patient information. And yet, “it’s something we haven’t been doing really well,” said Theresa Meadows, SVP and CIO at Cook Children’s Health Care System. Until recently, many haven’t viewed third-party risk management as an enterprise issue.

That, she noted during a recent panel discussion, is starting to change. “I probably spend the most time on it right now because it is such a large task.” And it’s one that involves not just IT, but also cybersecurity, compliance, and other areas, particularly with organizations that outsource coding or billing, for example, to third parties.

“It’s one of the biggest challenges organizations face,” added Meadows, who examined the topic along with co-panelists Marti Arvin (VP, Chief Compliance & Privacy Officer, Erlanger Health System), Jim Brady (VP, Cybersecurity & Risk Management, CISO, Fairview Health Services) and Nick Culbertson (Co-Founder & CEO, Protenus). What they’ve found is that as more vendors enter the fray — and gain access to patient data — it requires a different approach than leaders have used in the past.

One reason is that third-party risk management is an entirely different animal. For example, the agreements vendors have with their downstream vendors often don’t match the terms third-party vendors have with health systems, said Arvin. As leaders, “you need to think through where the patient data is going, where it can be leaked out, and whether you have some comfort that the third party is doing what they’re supposed to be doing to protect your data as it gets pushed further out. These things cause me heartburn.”

Compounding the problem is the fact that many health systems — especially ones as large and complex as Fairview — work with hundreds or even thousands of vendors, making it extremely difficult to conduct regular risk assessments of each one.

This is where companies can leverage platforms that offer third-party risk management services, according to Brady. By providing a platform for filling out questionnaires, his team can get the answers they need without having to reach out to vendors individually. It also allows them to see if any changes have been made to contracts. “It really speeds up the process and helps us to be more efficient,” he added. “We no longer need an army to tackle third-party risk.”

Cook Children’s has a similar approach, noted Meadows. “You’re never going to have enough resources to do every risk assessment. It’s been really helpful to have a database where we can use crowdsourced data.”

For her team, the impetus for the increased focus on third-party risk management was a 2021 ransomware attack on an HR management solutions provider. Although ePHI wasn’t at risk in that particular situation, there was still a significant fallout from losing access to administrative systems like payroll.

“In my mind, it’s a big red flag. If we’re going to put all our eggs in one hosting basket, we need more information about their security posture than we would if we host it ourselves,” said Meadows. “We need cooperation from our partners to share the critical data we need to feel comfortable that we’re making the right decisions.”

Vendor Conversations

She’s hardly alone in this thinking. In fact, all four panelists emphasized the critical role vendor management plays in mitigating third-party security risks — and the need to establish solid relationships from the jump.

Fortunately, most vendors “want to come to the table, particularly during the contracting phase,” said Brady. “They’re open to discussions and will do what is needed on their end to help customers feel satisfied.” It may seem like a given, but larger vendors, especially those in the medical device space, often come in with their own expectations of how things work, and aren’t accustomed to being flexible. That’s why he believes preliminary conversations present an ideal opportunity to “voice concerns about security and privacy and make sure they understand the implications.”

Meadows concurred, adding that her team has developed a checklist for IT managers to share with those looking to purchase a solution that outlines their standards and expectations around risk assessments. “That allows us to see what kind of partner that vendor might be,” she noted. “Because if we get a lot of pushback about their security posture, that leads to other questions we might ask. And so we try to build that into the process early so we know what we’re dealing with upfront. The average buyer doesn’t appreciate risky behavior, especially around medical devices. Having that ongoing education is extremely helpful.”

Opportunities for Assessment

Similarly, risk assessments also must be ongoing. But although most leaders would love to be able to review all systems annually — even those that don’t contain ePHI — it simply isn’t feasible. A more realistic approach? Assessing solutions when they come up for renewal, which is usually every 3 years, or when an upgrade becomes available. “We try to build that into our process,” said Meadows. “We’re trying to tackle as many as we can in any given year. That’s why crowdsourcing and having the right tools are so important. Without help, there’s no way to keep up with the volume.”

While three years might seem like a long time, it can fly by quickly, said Brady, who encouraged leaders to “keep chipping away,” even if progress seems slow. “The important thing is to make headway and continue to narrow the subset of systems that haven’t been looked at. That’s what risk management is about. It’s not eliminating it to zero; it’s reducing the risk to an acceptable level.”

Dealing with Exes

A significant part of that, according to Arvin, is following up with vendors that are no longer partners — but still retain some patient data. “It’s an area that has caused me some angst,” she noted, whether it means getting data back or, if that’s not feasible due to regulatory obligations, ensuring data have been destroyed within the agreed-upon time period.

Protenus seeks to ease the process by incorporating data retention policies into its platform based on customer needs, said Culbertson. That way, “if there is a retention period, we make sure that as new data is created, data is pulled off the platform as well.” And, because needs can change when new releases or workflows are introduced, his team sends out questionnaires and checks in regularly with customers. “I like to think we’re moving in the right direction by building security and compliance into our infrastructure so that we can improve our repository.”

It’s important to make sure all parties are on the same page, Culbertson added. “If you’re rolling out a new program, there should be some kind of ongoing rechecking or reverifying throughout the partnership” that covers multiple areas, including when to dispose of data. “Ultimately, it comes down to trust, which is why I think it’s a good idea to stratify your vendors depending on risk level. With some, you probably need to get a little bit more in the weeds and get a little bit closer to their operations.” In any case, however, it’s paramount to check in and understand what changes have been made — including M&A activity — and how they might affect your organization.

And it should be done before a crisis hits, noted Meadows, whose team learned after a ransomware incident that a vendor had retained 10 years’ worth of their data. “That’s when we started scrutinizing how much data they should keep.” Although she admitted her team isn’t always great at following up, they are improving, especially when it comes to higher risk systems with more ePHI. In those cases, they’ve outlined exactly how long the data can be retained.

“Now we look for things in the contract that we never looked for before, and we think about how much data we’re giving them so that we have the ability to audit or ask questions,” she said. By negotiating those points in the contract, and having vendors sign an agreement as to how/when they will eliminate data, organizations can better position themselves for the future, Meadows added. “It’s really important to start thinking about that on the front end, and not wait until the a-ha moment.”

To view the archive of this webinar — Managing & Mitigating Security Risks from Third-Party Vendors — please click here.