Published November 2021
If cybersecurity challenges are mounting for health systems in today’s increasingly risky global environment, why would it be any different for their third-party vendors — especially the smaller ones? What’s clear is that even the largest of health systems can only be as safe as their partners. In this episode of healthsystemCIO’s Partner Perspective Series, Anthony Guerra, editor-in-chief and founder, talks with Brian Selfridge, a partner at Meditology Services, about the issue. Selfridge says it’s just a matter of time before health systems get breached if they don’t vet and continue to monitor third-party risk. To do so, they will likely have to make an investment in staff, technology or process — or a little of all three, he says. A single breach of a key vendor can impact hundreds of health systems in one swoop, Selfridge says. “We’re seeing a lot more attention on third-party risk, from the board level to the management level, and even in the workforce.”
And the other sort of sticky part of this is the vendor assessment process is frankly way too slow to keep up with the business.
So, you have thousands of vendors; you have to hound them, you have to chase them down, you have to get the right answers. What happens is, we aren’t able to keep up.
I won’t say they outright lie about their security posture, but they will certainly paint as rosy a picture as possible—or they’ll provide vague responses that are technically true but not really telling you the whole story.
Guerra: Brian, thanks for joining me today.
Selfridge: Sure. Thanks so much for having me.
Guerra: Let’s start out with a little bit about your organization and your role there.
Selfridge: Sure thing. I’m going to start out on kind of a confusing note. I’m actually the partner and one of the owners of two companies. One of them is called Meditology Services, as you mentioned, and another company is called CORL Technologies. Both organizations provide cybersecurity services and technology solutions exclusively for healthcare. We work with hundreds of providers, payers, and business associates across the country, and we also do some work with the federal government as the HIPAA expert witness firm for the Office of Civil Rights. Meditology is more of your traditional consulting firm: security risk assessment, certification, pen test assessments, those types of things. CORL, on the other hand, is focused specifically on delivering third-party vendor risk solutions for healthcare. In other words, we manage and deliver third-party vendor risk programs for healthcare companies. I mention CORL because I think our conversation today is going to be focused on supply chain risk, third-party risk—and that’s all we do day-in-and-day-out at CORL, so I wanted to mention that specifically.
Guerra: Just out of my personal curiosity, when you were founding the companies, you said there was enough of a distinction there that you wanted to make a separate company, as opposed to a division within the company or a vertical within the company?
Selfridge: That’s right. Yes, third-party risk is such a unique animal. It needs so much focused attention that we wanted to make sure we spent a lot of time and energy building out that specific vertical. The companies are very closely aligned, and we have shared ownership and those types of things. But yes, we did create separate brands for that reason.
Guerra: Ok. Very good. So, we’ve already used some terms. And I think terms are important because they help to give immediate clarity. Do you want to define some of these terms? Let’s start with third-party. We use that term a lot. Supply chain, business associates, and perhaps some others you can think of. Are these all the same things, or are there important distinctions here?
Selfridge: Great question, and one that we hear quite a bit. The quick answer is, those terms are largely synonymous, particularly in the healthcare settings. But, outside of our industry, it can vary. So, I’ll explain that a little bit. Third-party vendors and supply chain –those terms in particular – are used more broadly across industries. While business associate, that’s a very niche term, specific to healthcare. A typical healthcare organization maintains thousands of vendors that support the business. This can range from IT vendors, like your electronic health record companies, and your data analytics firms, down to clinical vendors that provide medical devices or clinical care, all the way to your outsourced cafeteria and food service companies. These would all be considered vendors in this space. We refer to the whole vendor ecosystem as “the supply chain.” The term business associate is a very specific term to healthcare that derives itself from the HIPAA privacy and security rules that designates vendors that store or access protected health information, or PHI, on behalf of healthcare organizations. But for the purposes of our conversation today: third-party vendors, supply chain and business associates, they all mean the same thing.
Guerra: That is helpful. You’ve been in this third-party risk business for a while. What’s going on? Is it more acute now than ever, and why? Is there a COVID impact here? Your thoughts?
Selfridge: Sure. There’s a ton going on with third-party risk and supply chain. It’s become one of the top—if not thetop—cyberisk areas for health organizations this year. There are several reasons for that, and it’s not just a COVID thing. This has been percolating for quite some time. Just to give you some of the underpinnings of where we’ve come from and where we are. The first one is, healthcare has moved some of our critical IT systems from the basement of the hospital to third-party and cloud-hosted vendors as part of that ongoing digitization of healthcare. I think your audience is predominantly health system CIOs, so I don’t have to tell them about that part. I think you’ve all lived that for the last decade- plus.
The problem is we’ve become so dependent on these third-party vendors to deliver critical patient care, treatment, operations. And when the vendor has an outage, due to ransomware or some other cybersecurity breach, the health system feels the most pain, even more than the vendor in some ways. And that pain is much more than the threat of regulatory non-compliance with HIPAA due to lost or stolen data. We still care about that. These vendor breaches are not only impairing our ability to operate but they are threatening patient safety in the process. So, when we start diverting patients or deferring treatment because other parts of our vendor ecosystem are unavailable, then people start getting hurt.
Then you couple that with having these massive supply chain breaches—your Solar Winds, your Kaseya breach, Microsoft Exchange (I can’t even remember them all this year) where we have a single breach that impacts thousands of vendors in one swoop, we’re seeing a lot more attention on third-party risk, from the board level way down to the management level and even the workforce in some ways.
However, just being aware of the risk—like every other problem we have in front of us—is not enough. We have to solve it. We’re seeing healthcare organizations really struggling with how to tackle this one. The reason why it’s such a tough nut to crack has to do with the scale of the problem. If you’re a health system and you have hundreds to thousands of vendors, you need to be continually assessing the cyberisks, both at the time of purchase and the procurement of the vendor, as well as on an ongoing basis. Most health systems can’t keep up; can barely keep up with just conducting an initial security review of critical vendors, at the time of procurement. But they’re not able to follow up and make sure the vendors remediated those things they said they were going to fix, or coming back to those vendors as their IT systems evolve over time, and they move to different cloud environments, and they move to different configurations. That’s a big part of the challenge.
And the other sort of sticky part of this is the vendor assessment process is frankly way too slow to keep up with the business. And that’s on us; that’s on the security people. The security teams don’t have the bandwidth—or they aren’t allocating the bandwidth—to keep up with the volume of assessments. And vendors are not really eager to share their dirty laundry, too, so as you get into the vendor assessment process, you kind of have to pry it out of them what their actual security posture is, and you need to use audit rigor for that. And then you need to hound the vendors to make sure they remediate the known security weaknesses.
So, you have thousands of vendors; you have to hound them, you have to chase them down, you have to get the right answers. What happens is, we aren’t able to keep up. And we end up in this “risk blind,” (a term I like to use) where there’s foundational erosion of the IT infrastructure through the third-party businesses. It’s almost like the house built on sand. The weaknesses are there, but we don’t see them. We aren’t looking in the right places, or frequently enough. And we end up getting blind-sided by these vendor breaches and surprised when our critical systems aren’t available and the data is breached. It reminds me of that building in Miami that collapsed recently. The cracks were there, but we just didn’t take the time to look or to do anything about it. That’s how supply chain risk feels to me right now. It’s sort of percolating and the more buildings that collapse, the more we’re starting to pay attention to it.
Guerra: Are we talking about different types of risk from these third parties? For example, if you’re somehow connected or integrated with this other company, some sort of malware could come into your network through them, so that’s one bucket of risk. Another bucket of is, this company is critical to our operations, and there’s risk if they go down. Years ago, we would worry about whether these companies were solvent. And now we worry about cyberisk. So, take that wherever you want to.
Selfridge: I’ll take it a few places. It’s really an important distinction that you’ve brought up here; the different flavors of risk we face. I’ll put them in two big buckets to start. There’s your cybersecurity risk—and I’ll come back to that in a second—and that is separate and distinct from your vendor risks traditionally, that can be your solvency and financial risks with the vendor, and those are all still happening.
For the large part, most healthcare organizations have a different group of people paying attention to the financial side of the house. And then there are people of my ilk, who look at the cybersecurity risk. Conversations are starting to happen where we look at risk more holistically, but we’re not there yet, the same way we don’t compare clinical risk next to cybersecurity risk. There’s still a whole other team looking at clinical risk. Those are merging, but not fast enough in my view.
I want to unpack the cyberisk a bit more, because I think you brought up some good points there. There are the malware types of risk; we saw that with Nuance transcription a couple of years ago. They got breached, they had ransomware, and they had these open VPN tunnels to every client they had. That was their standard operating model. The ransomware started jumping over the VPN tunnels to this hospital and that hospital, and not only did we not have Nuance transcription services available, which is a legitimate hit to the business, but then you’ve also got to shut down those pipes so the malware doesn’t come in and start effecting your organization. There are hospitals that sued Nuance over that, saying, “You should have done better.” So that’s risk. The other is, data loss. We aren’t exclusively focused on compliance risk with third parties anymore, but we still are worried about it. I see some organizations make six, seven, eight copies of their EHR records and shipping them off to an analytics firm. We don’t need to have these copies upon copies with some companies that are small that don’t have the security rigor, and the data gets breached for a variety of reasons. Now you have a HIPAA compliance risk.
And last, you’ve got the availability risk. If your vendor has any kind of an outage—it could be for a cybersecurity reason or any other reason—that’s what’s ramped up in the last year or two. The businesses are saying, “This is a big deal, not just because we have to notify the patients and deal with OCR, but our systems are unavailable, and people are getting hurt.”
Guerra: Have you had any engagements arise from larger health systems that wants to sponsor a smaller hospital to use their EHR (such as Epic Community Connect) and they want you to look at the smaller hospital to see if that would be safe? That’s almost like taking on a third party.
Selfridge: The short answer is, “Yes.” There’s been a ton of merger and acquisitions and affiliations. It’s like you said—it’s sort of like a sponsorship. There’s been a ton of this. Assimilation is happening at lightning speed. Big health systems, medium-sized health systems, are either gobbling up the smaller ones or combining forces for lots of good economic and IT reasons. When you do that, you are inheriting a small- to mid-size, might be a healthcare provider or specialty practice. Traditionally their security posture is not as good as the mother ship. And so, we’ve been doing a ton of M&A due diligence before, during, and sometimes after, the marriage happens – hopefully not after– to start finding out just exactly, “What is our exposure that we’re taking on.” Very often, they’ll still move forward with the deal. But they’ll start putting in mitigation like, “Ok, we’re going to segment you off the network until you clean up this mess, and then we can turn on the VPN tunnels or the network fiber connecting to the hospital and then we’re going to be in a safe position.” There’s a ton of this going on.
Guerra: Let’s talk a little bit more about what you think the current practices are for health systems as they try and assess third parties to work with. Those vendors have every interest in representing that they have a great security posture. They want the deal. They want the job. So, while filling out the security questionnaires, do some of them lie?
Selfridge: You’ve hit on a really important exposure for how third-party risk is handled today. To your point, vendors will do anything to get the procurement. c This is the way things are done today that gets us in trouble, and this is speaking as a former chief information security officer at a hospital. A lot of IT teams are not spending enough time to clarify vague responses on the vendor questionnaires. And the vendors are counting on that. They know you’re short on time. They know you want to get this approved, just as much as they want the sale.
Unfortunately, a lot of health systems are just saying, “That’s good enough.” That’s current practice in a lot of shops, and that just doesn’t work. All you’re doing there is collecting risk information. It’s not risk intelligence, and you’re not doing anything about it. All you’ve done at the end of the day is push paper around, in my view, and wasted everybody’s time. So, the right way to do it, if you will, one of the better practices, is you’ve got to have validation of the vendor’s security posture and what they’re saying.
There’s two ways to go about this. One is you can require organizations to get a third-party validated cybersecurity certification. The two most prominent ones are HITRUST and Soc 2 Type 2. They can pass the certification on to the hospital to show they’re doing all the right things. And there are nuances to that. You actually have to look at the Soc 2 report and make sure there’s no deficiencies in it. So, that’s one way.
The other way to go about this is to validate the responses the vendor has given you. A couple ways you can do that is by requesting documentation and evidence on certain key controls. You don’t have to look at every control but pick the ones that matter. Like ask for a penetration test. “Show me the results of that. Show me your response plan. Show me your vulnerability and patching cycle and results.” Things that will show me your leading indicators of your security program. And so, by validating at least a handful of the critical areas, if not a good subset of them, you can get that true warm and fuzzy feeling that they are doing the right things to invest in cybersecurity on their side.
Guerra: What happens if you ask them to validate something on the questionnaire and you get push-back? What’s your reaction? Is this a red flag? Is it ever possible that you are going overboard, and they are justly accusing you of being unreasonable?
Selfridge: There’s a spectrum, for sure. And it’s funny how this has played out over the years. About 10 years ago, when we started doing these assessments en masse for the industry, vendors would say, “Nobody ever asks us for this. I don’t have to answer this.” And they’d tell us to go away. But what’s been really exciting and interesting for us as CORL, is we’ve managed hundreds of health system customers, and so we would show up again the next week on behalf of another customer—another hospital—and we’d say, “We’re back! We still want to see that evidence and that documentation.” There was this sort of economy of scale going on, where we were able to put pressure on the vendor and say, “OK, we’re not going away.” And some of the big vendors (and I won’t name names) some of the biggest vendors who were giving us the most flack—because they’re big, and they can muscle their way around—all of a sudden, they couldn’t muscle anymore, and they actually came to us. They had us over to their corporate facilities. They wanted to partner with us so that they could show up in the best light and in the most transparent way with these assessments. That’s been a big key.
And the other factor’s been, you’ve got to get this tied to the procurement cycle. So, you are doing the assessment and you’ve got your own leadership on board, your procurement, your legal and IT, and everybody else saying, “We don’t pass go until this assessment’s done right and the vendor’s provided evidence to our satisfaction.” Even though that slows things down, the business in health systems is saying, “We can’t take on that risk until we know what’s going on.” Putting that as part of the contractual agreement in procurement, in order to keep going, but actually putting all the service level agreements and SOWs in place saying, “You need to show us on an ongoing basis that you’re still doing these things and keeping up to speed, because if not, the contract takes a hit.” Unless you’ve got money and the contract behind it, or economies of scale going on, you’re correct, vendors are not eager to participate in the dialogue.
Guerra: As a health system, you have to have people doing this who really care about the risk that’s being taken on. Because in the scenario you mentioned, you give the questionnaire, and they check their box and give vague answers because that’s not the CEO giving those vague answers. They fill it out and they see what happens. If they have that same attitude on the health system side—not willing to measure that risk—that’s going to be a bad outcome.
Selfridge: I can tell you Anthony, there are still organizations operating that way, for sure, and I call it a compliance mindset. The classic answer I get is they did the questionnaire, they got their responses, they keep them on record, and if anything ever goes wrong, they’ll go back to the responses and say to the vendor, “You said you had these things in place.” But at that point, who cares? It’s already too late. A breach has already happened; OCR is at the door; data is locked up and patients could get hurt. I don’t think that mindset is effective, and it’s borderline negligent of truly managing the risk to the organization.
Guerra: It’s different than a cyber-insurance scenario, where the insurer can say, “We’re not paying.” If you said you have something in place that you demonstratively didn’t have in place, they’re not paying. Let’s talk about what happens between the CISOs and the business—the rest of the C suite. CISOs are chief risk officers. They need to communicate risk. They’re not deciding that this particular vendor is key to the organization, the business is deciding. The CISO can determine the risks the organization may face because of a vendor. That’s all got to be communicated so people can make decisions, and then contingencies have to be put in place. If this entity goes down, it’s the business side that has to determine how significant that will be. But how much does the CISO need to worry about this?
Selfridge: That’s a fantastic question. I do presentations all the time for healthcare boards that want to know what’s up with the cyberisk. Historically, those have been 10-minute briefs that cover the whole gamut of cybersecurity risk. I just did a couple last week, both turned into 20-, 30-, 40- minute conversations about supply chain risk only, just to give you a sense of the appetite there is at that board level. In terms of what to report to the board about cyberisk, it’s much like other areas, you need to present information in terms that the business can understand. Don’t report out on this tactical issue or that tactical issue unless you’ve got a real critical issue. Folks like chief risk officers should be reporting out on the overall performance of the third-party risk program, and be able to answer some key questions, like how many vendors do we have? How many fall into each criticality tier? Not every vendor is created equal in terms of risk. How do we determine which vendors are in which tiers? How many high impact vendors do we have? What’s the macro-level risk of those vendors? Where do we have blind spots? What have we not assessed? How can we drive visibility? How are vendors doing in their commitments to remediate?
You still need to push the vendor to commit to fixing stuff and follow up with them. That’s a major gap that a lot of organizations miss. You’ve got to have that rigor to just keep going back and reporting back as well. How fast are we doing that? Are they meeting our SLAs (service-level agreements)? Do we need to make investments here or there? It’s classic. Your C-level discussion should be about any variance from your target objectives. That’s the kind of conversation you want to have at that level versus reporting on tactical movement.
Guerra: I’m thinking about how important it is for CISOs and CIOs to understand the business. You talked about criticality tiers. Well, that’s not part of my job as a CISO. I need to talk to the business leaders. I need to get an idea of where this application fits in terms of what we do. If you don’t understand what these things are doing you may be misunderstanding how important something is. How important is this? Your thoughts.
Selfridge: We have to be a partner to the business. That’s the reason security officers are at the board table and governance groups now more than they have been before. We need to be listening more than we ever have before. Historically, we have been in the basement with our bits and bytes and our propellers on our heads. But now, we’re at the table, actively listening and weighing in on what the organization is trying to do. Part of it is just being aware of the business, as you alluded to. The other thing is around the communication and around the translation. We need to be the professionals that we are, to tee up and make recommendations on what to do next. You can’t just puke out all the risks and say, “What do you want to do, business?” I’ve had people report to me with problems, but if they don’t give me options A, B and C and their recommendation for which one to solve the problem, I send them back. Don’t come up without some recommendations. And be willing to let that recommendation move, depending on the conversation. Have a perspective that’s well informed by the business and also by the expertise in cyber, which is a very nuanced thing. It’s a techy, jargony thing. But we’ve got to pull it out of that and have a conversation at the business level. I think it’s where the good CISOs are heading, and I think that’s going to continue to be the case.
Guerra: Back to the certifications that you mentioned, HITRUST and Soc 2. These types of things tend to be quite helpful because you’ve got that a third-party stamp. And you do tons of assessments. Are you looking at that type of work where you provide your own stamp so that there’s another entity out there? You mentioned that there’s limitations with the other two. Is there an opportunity? I would imagine CIOs and CISOs would love more third-party stamps they could trust.
Selfridge: That’s a good point. I mean, it’s not enough. The certifications out there—Soc 2 and HITRUST. The numbers vary out there. About 20 to 22 percent of vendors are carrying those right now and that number is growing pretty aggressively. That’s 80 percent of vendors that don’t have anything on paper right now. Then you’ve got to dig it out. Again, scale. We’re going to keep talking about this problem as a scale problem. So, we’ve been doing this with hundreds of organizations—a decade-plus of doing nothing but this. We’ve learned that we need to do a couple of things. We need to increase the speed at which these assessments happen and get the accurate validated risk data to the right people as quickly as possible so that the procurement goes through, the sale goes through, and business continues as usual, and we stop becoming the bottleneck.
And, so absent a certification, if the vendors don’t have that, you have to do a full assessment. One of the things that we’ve developed—and we’ve been working on at CORL, in particular—is this sort of clearinghouse idea, where we’ve assessed over 80 percent of vendors for their cybersecurity posture. It’s insane that every single health system is going to vendors one by one and assessing them. If you just look at the macro, it’s ridiculous the way we’re doing this as an industry. So, we said, “Look, we’ve already assessed these vendors. Let’s take that data and let’s reuse it and reapply it and say, “Vendor, you just answered those questions or something very similar to it for hospital A. Do you want to use it for hospital B in this technology and just click yes and send it across?” And that is the system that is going to grease the skids of this entire process.
We’ve developed a clearinghouse where vendors can pre-pre-audit but, otherwise we’re going to hit them in due course for one or more hospitals—get them assessed, keep their data and then allow them to reuse that over time and basically create that central point, almost like TSA pre-check. When you go to sit in the airport line, you’ve already been pre-cleared, so go ahead. We’ve already done your due diligence on Anthony the frequent traveler. It’s kind of like that where CORL becomes the pre-vetting. They’ve already been through us. We might validate, just make sure everything looks good and then send it through. That’s what we’re really excited about, changing the whole paradigm to reuse that data. Because we’ve already assessed, I won’t say all the vendors—but 80,000 vendors is a heck of a lot—for healthcare, specifically. That’s what’s allowing us to do this at lightning speed and have that trusted validation done almost ahead of time, or at least very, very quickly relative to the traditional models.
Guerra: As you said, that would have to be done at certain intervals, annually, or something, because what you’re talking about is just a snapshot in time, and you want to make sure they are continuing to have good security practices, right?
Selfridge: What’s interesting though, is that for hospital A we vet a vendor, and hospital B comes back two weeks later to have the vendor vetted, and then hospital C wants to see that same vendor vetted. And so, we go back to them and say, “Vendor, does this still look good? And they might say, “No, no, no. That was a week ago. Now we have a whole new platform,” or something completely different and they can update their answers, and that’s how it just stays alive, which really helps.
Guerra: We’re almost out of time. Do you have any advice for our CIOs and CISOs about third-party risk? What do you think is the common mindset here, or the common situation? Are they getting it? Are they freaking out about it? You could have hundreds and maybe even thousands of third parties. That criticality tier I’m sure is a prevalent concept. What’s your advice for handling those top criticalities?
Selfridge: Sure. But I’ll frame it a little bit differently, because just paying attention to your critical vendors is part of the missteps that we’ve made as an industry. Yes, for those critical vendors, make sure they have a third-party certification. There’s no excuse for them not to have made the spend and invested in security. Why do I have to do all your work and audit you? And you want to check back with them annually, your critical vendors.
For your small and mid-tier vendors, you may not want to go to them as frequently for an assessment. You may want to look at them at procurement and maybe two years later. You may want to do a lighter assessment, looking at maybe your top 20 critical controls or the things that are most important to you, so you can scale to get some visibility.
What you don’t want to do is ignore those small vendors, because 80 percent of vendors are small—less than 50 people—and have no security leader, no security program, so those are the ones that are posing the quote unquote supply chain risk. So, make sure you’re getting some degree of visibility on those folks, in addition to your critical tier vendors.
In terms of closing thoughts, if you aren’t investing in your third-party risk program actively right now and you’re still doing the status quo, and you’re sending out your questionnaire with just half an FTE, you are falling behind. And it’s going to bite you sooner rather than later. I don’t like doing, “The sky is falling.” I think there is always context to all of this is an area where the risks are mounting faster than we can keep up, even for those that are putting in automation and technology. If you’re not doing any of this, you’re falling behind so fast that it’s just a matter of time before you get bit by one of these. My recommendation is to get smart on the problem and the options out there, and look to make some investments, either in your team or with your process or tech, or a little bit of all.
Guerra: It makes perfect sense. As your risks are mounting as a health system, and as the global risk in the environment is going up, why would you think it would be any different with all these vendors you’re using, especially the smaller ones? It’s common sense, right?
Selfridge: That’s right.
Guerra: Brian, thank you so much for your time. I think that was a really great interview, lots of great information, so I appreciate it.
Selfridge: My pleasure, thanks so much.