Healthcare Delivery Organizations – Measuring Vendor Risk in a Cloud-Enabled World

By Kurt Hagerman

Today’s healthcare organizations have been tasked with focusing on more than just a patient’s health. There is a massive shift in their infrastructure, which is largely focused on support from technology. As the move to technology continues to expand, the move to the cloud is one of the most noteworthy contributors to the changing landscape of how healthcare organizations are enabling technology to help with everything from patient data, clinical, administrative, and financial functions. 

The adoption of cloud technology in healthcare delivery organizations specifically is largely driven by the cost and benefits of cloud infrastructure. The move to the cloud has taken healthcare by storm for good reasons—healthcare delivery organizations (HDOs), often short on cash, time, and technical staff, have found relief through a wide range of cloud solutions that can do anything from providing the perfect billing or health monitoring solution, to data capture, analysis, and even trending over time, leading them to increasingly rely on third-party vendors to support their businesses. The reign of monolithic, internally hosted healthcare applications is fast coming to an end.  

While solutions from Epic, Allscripts, Cerner, and GE Healthcare will undoubtedly continue to play a significant role, cloud computing has fostered the development of many specialty niche applications that do a better job at their targeted functions than the broader applications do. Today, some large HDOs and health plans have relationships with thousands of business associates (BAs), making the task of ensuring the security of their PHI across all these vendors challenging at best.

The HDO risk profile has shifted dramatically. While this move to the cloud relieves the HDO of much of the burden of on-premise IT hosting, monitoring, management, and security, diligent organizations are realizing they need to shift their attention to the complexity of the third-party environments, requiring a new model to safeguard patient data. No longer can their risk management programs narrowly regard only their own systems and staff; today, they must be concerned with these, as well as the risk third-party vendors pose as they share PHI with, between, and among them and their employees. In other words, they must take a holistic approach to a more expansive, third-party-inclusive security landscape. 

Many HDOs are ill prepared to deal with this shift, lacking mature security programs and even basic vendor management programs. Consider the challenge of ensuring every BA with whom you do business is managing their own security program in accordance with HIPAA and their own requirements. An HDO with 500 business associates would have to conduct nearly two vendor security assessments every day of the year. This is simply not feasible for any HDO; so how are they handling it?

Many have turned to using third-party attestations and certifications like HITRUST and others to shoulder a large part of the burden. By requiring that their BAs obtain one or more third-party security certifications, they can show that they are doing something to manage the risk.

Is this enough? Unfortunately, relying on these types of validations may not be adequate to ensure that your PHI is being properly secured. First, not all third-party validations are equal when it comes to evaluating a vendor’s security program. Some, like ISO 27001 and even SOC 2, are more concerned with policies and processes and don’t dive as deep into the technical implementations and operations.  

Second, processing PHI often requires the cooperation of multiple BAs and results in your organization’s PHI being passed between many partners to accomplish your goals. Additionally, many BAs are themselves relying on other third parties to provide their services. We can see how the web of connections quickly becomes nearly impossible to trace.

To effectively manage third-party vendors, organizations need to focus on a few key initiatives. First, it is important to establish a master list of all vendors, including the service(s) they provide. From there, organizations should map the data each has access to and its criticality to the organization, understanding how they access the data. Organizations will also want to learn the dependencies of each vendor on your other vendors, establishing which outside vendors each uses to provide their services.

Organizations should build a vendor rating system that allows them to group vendors based on the risk they pose to the organization. Factors to consider in building this system include: the type, criticality, amount, and access methods to the data each category has access to; and then apply a set of security requirements for each ranking that you believe addresses the risks each ranking poses to the organization. These requirements can include the type of third-party certifications that are acceptable, additional risk and security questions you require a vendor to answer, and what type of audit requirements you will place on them. Then, this third-party management program must be folded into a comprehensive security program that spans all security strategies and activities across the healthcare organization, understanding how these elements interlock.

For business associates, providing transparency to certifications and other industry standard security documentation offers great opportunity to differentiate themselves from other providers. Proactive steps they can take include things such as making all third-party attestations available. Making sure that vendors complete and provide standard industry forms such as the SIG and CSA CAIQ and having security and compliance staff available to customers and prospects will help with transparency to vendors. 

It will also help if they publish responsibility matrices for each third-party attestation (HITRUST, PCI, etc.) as well as establishing clear guidelines for how to properly and securely use the services they provide. The more these vendors can do, the easier HDOs will find the vendor management process and the more comfortable the HDOs will be with the risk the vendor poses to them.

Kurt Hagerman is a CxO Advisor, Cyber Strategy at Coalfire, a provider of cybersecurity advisory and assessment services.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

eleven − ten =

This site uses Akismet to reduce spam. Learn how your comment data is processed.