Vendor risk management can be the difference between knowing what to protect, safeguard, or secure across your systems and networks and managing risk blindly.
Most healthcare organizations have so much data processing, transactions, technologies, and vendors in their environment, creating security gaps they don’t even know exist. Getting a handle on those discrepancies is critical as healthcare delivery across the continuum of care becomes more dependent on technology, from widely accepted digital health solutions to emerging technologies like AI, machine learning, quantum computing, nanomedicine, cryptography, and smart hospitals.
Vendor Risk Challenges
Vendor risk management is an important—and often overlooked—part of a mature risk management and security program. In a recent hospital resiliency analysis published as part of the 2023 405(d) HICP update, HHS found that supply chain risk is pervasive in hospitals. HHS’s observations include that 49% of hospitals reported having inadequate coverage to manage supply chain risks. Supply chain risks also rank among the top 3 most important threats in a survey of 288 CISOs surveyed as part of the 2023 H-ISAC Threat Report.
Nine of the ten largest healthcare breaches in 2022 were tied to third-party vendors, compromising the data of nearly 25 million patients. Our work helping organizations across the healthcare ecosystem effectively manage vendor risk has shown that more than half of assessed vendors fall into critical, high, and medium risk categories. Vendors often under-perform or fail to perform completely in the following five categories:
- Access control
- Systems and services
- Acquisition program management systems
- Protection
- Incident response
It’s important to recognize that strong performance in one area isn’t always an indicator of a mature and comprehensive security and risk management program. It isn’t uncommon, for example, for a third-party vendor to develop a security and risk management program with robust controls and processes but fail to develop effective response plans. In the event of a security incident, it’s critical that the affected vendor communicate with you in a timely manner regarding the nature of the incident and the steps that are being taken to mitigate impact.
In addition to challenges with validating vendor controls and responses, healthcare organizations often struggle with:
- Incomplete complete or inaccurate vendor lists
- Not knowing which vendors can access sensitive data
- Not being able to identify high-risk vendors
- Not building a risk management program around vendor risk
- Not verifying that vendors’ security attestations are accurate and function as intended
There are many moving parts within a vendor risk management program, including contractual, cybersecurity, privacy, and compliance components. Wrapping your head around who your vendors are, where the risks lie, and how that enters your overall risk analysis program can be daunting.
It’s even more challenging if your staff is overextended and they don’t have time to give vendor risk the attention it needs.
Some covered entities look at vendor risk as a checkbox, a task they must complete every so often. Yet, for a robust program, this must be an ongoing process.
Too Many Silos
When it comes to making progress on risk management programs, too many healthcare organizations still work within silos, which makes vendor risk management more challenging.
You may have team members, for example, who enter into contracts without oversight. Sometimes they move forward and execute the contract without communicating with a centralized group or someone responsible for risk management. This is often referred to as “shadow IT”, a concept Tracy Griffin, Director of Information Security Risk and Assurance for Bon Secours Mercy Health, and Cathie Brown, Vice President of Consulting Services at Clearwater, discussed on a recent webinar with ISMG. Griffin says, “it’s time to drag shadow IT out of the shadows”, stressing the importance of working collaboratively with decision-makers and department heads so they understand the organization’s cybersecurity standards and know how to proceed if a potential vendor doesn’t meet them.
2 Steps You Can Take to Address Vendor Risk in Your Organization
So how do healthcare leaders address the challenges we just described above? There are many strategies for addressing vendor risk, including shoring up your processes, procedures, and communication are vendor risk, tackling challenges internally with your existing staff, and working with a trusted partner to help you identify your vendor blind spots and bridge the gaps in your current strategy.
If reading this article has you thinking you need immediate action, here are two steps you can take to help you get a better handle on your vendor risk quickly and incorporate it into your larger cyber risk management strategy.
- Make Vendor Risk Management Part of Contracting and Selection
There is no quick solution that solves vendor risk management challenges, but the things you do at the beginning of your process are important. Your vendor risk management program should focus at the start on determining if the vendor you want to work with can protect your data to the level of risk you want (and require).
It is extremely important to build as many of the security requirements upfront in the contracting process as you can and to be able to tell your vendors what you expect from them from a privacy and security perspective, including detailing what you want your vendor to demonstrate beyond a security attestation.
Most organizations are dealing with long-term vendors and technologies that have been operating in the environment and are critical to operations. It’s much harder to rip and replace or implement those things without the needed leverage—that leverage happens during the contracting process.
2. Audit Your Vendor Risk Program
Routine audits should also be a part of your vendor risk management program. Ask:
- Do we have a process?
- Is it defined?
- Can we look at a vendor’s lifecycle?
- Do we have all the requirements laid out?
- Did we prioritize it?
- How do we assess them?
- Are we monitoring them?
- Do we reassess them?
- What happens when the partnership with the vendor ends? Does that introduce new risk?
Next Steps
Start having this conversation internally. It can feel daunting, but with the right team assembled internally, partnered with a risk management consultant, and a risk analysis solution, your organization will be empowered to mature your risk management program effectively.
Specifically, spend a little time every day or have somebody on your team spend a little time every day getting to understand and learn about your vendor universe—that’s how you’re truly going to mature the program.
If you haven’t already, select and implement an industry-recognized risk management framework to be the foundation of your security program. A framework can help you decide which controls are reasonable and appropriate for your environment. It’s also a helpful tool to enable you to monitor and assess your program performance continuously.
