Throughout today’s healthcare organizations, third parties play a bigger role than ever. Healthcare organizations can work with hundreds, if not thousands, of third-party market suppliers that are entrusted with the healthcare organizations’ confidential data. With the increased need to share confidential information comes more risk.
And managing the risks involved with utilizing third parties has become a frustrating and expensive task. According to a report by the Ponemon Institute, third-party risk management costs a healthcare provider $3.8 million on average, exceeding the $2.9 million in costs for a data breach.
Before signing on the dotted line, healthcare organizations should carefully select and vet the third party as part of an effective cybersecurity strategy. A necessary part of this procurement process is a third-party security assessment questionnaire.
The questions asked may vary as healthcare organizations have their own unique needs and nuances, and may be business or technically oriented. An organization may also choose to use a standardized security assessment questionnaire in order to streamline due diligence efforts. Without consistent third-party security assessment questionnaires, market suppliers are faced with a myriad of non-standardized questionnaires to prove they are security-worthy.
If you’re looking to streamline and improve your organization’s third-party cybersecurity strategy, improve relationships with market suppliers and protect your patients’ data, consider these five lessons learned from professionals in the healthcare industry.
Before signing a contract, it’s worth taking a holistic look at the overall value of their product or service and how it will affect your organization overall.
Cara Babachicos, senior vice president and chief information officer at South Shore Health, shared her organization begins a security assessment early in the process of selecting a market supplier and also considers the big picture. “We have to evaluate, first of all, if the product is a good fit from workflow and business perspectives, but secondarily, we have to make sure they're going be a good partner or if they're going to put undue risk on the organization.”
Lorraine Bessmer, senior cybersecurity analyst, St. Luke's Health System discusses with HIMSS TV how the lack of the third-party cybersecurity standards is hampering relationships.
It’s crucial to avoid a silo mentality within your security team. As the cybersecurity strategy of healthcare organizations mature, more organizations are finding value in working as a collaborative team across multiple areas.
“I work for a health system with about seven hospitals and 240 clinics,” said Lorraine Bessmer, senior cybersecurity analyst with St. Luke's Health System. “My focus is really on third-party risk. My goals are to mature the whole program because our security team is fairly young.”
Bessmer collaborates with other groups across the organization, including compliance, legal and supply chain in order to improve the workflow when it comes to evaluating and approving market suppliers based on their requirements.
“When I think about security, I always think about ‘How do I make it better’? I used to think about ‘How do I make it perfect?’ and I wouldn't get any sleep,” said Omar Khawaja, vice president and chief information security officer at Highmark Health.
Khawaja recognizes that some organizations have the budget and resources to build their own third-party risk program as part of their cybersecurity strategy, while others choose a method that doesn’t require such a large expenditure of time and money. For his own organization, Khawaja is simply requiring all new market suppliers be certified by an established organization that provides a standard data protection and risk assessment framework—along with completing a SOC 2 technical compliance audit specifically designed for service providers storing customer data in the cloud while working with internal legal teams.
This approach, which is an alternative to a security assessment questionnaire, may be more manageable for third parties to align with, rather than expecting them to fill out lengthy questionnaires. Khawaja acknowledges this approach is not perfect, but may improve the effectiveness of an organization’s cybersecurity strategy.
However, not every entity will necessarily want to take the certification approach. An alternate approach is for the third party to have a standard due diligence package. The package may address a broad range of frequently asked questions, ranging from business, technical, legal and regulatory realms. But, of course, there may be additional questions that the organization has in mind. Accordingly, the third party may wish to send this standard package in response to an inquiry about their security posture and answer additional questions the organization may have.
When healthcare organizations ask market suppliers to fill out questionnaires about their cybersecurity practices, it’s important to ensure that the market suppliers are providing accurate and detailed information. If there are inconsistencies or assertions that appear to have bias and/or seem to be untrue, then the healthcare organization needs to flag these responses and ask for clarification.
As director of customer compliance at Armor Cloud Security, Mike Annand recommends that healthcare organizations follow a simple rule: trust but verify. “I don’t care how many times you ask somebody to fill out the questionnaire, you have to make sure that they are exactly doing as they are putting in that questionnaire. Otherwise, you’re taking a risk and you better be prepared to pony up when that risk rears its head,” said Annand.
Additionally, healthcare organizations may want to ensure that the third party’s contract aligns or otherwise is consistent with the answers and other information provided by the questionnaire.
Change happens—and it happens frequently in the cybersecurity field. Once requirements are agreed upon and contracts are signed, what happens if the model for data storage or transfer changes? How can that scenario be woven into your organization’s cybersecurity strategy and your contract be updated?
Sanjeev Sah, chief information security officer at the Medical University of South Carolina, suggests that third-party security assessment questionnaires should address any potential changes. Sah also believes market supplier security assessment questionnaires should take into consideration whether the healthcare organization is doing business with a cloud supplier versus one storing data on the physical premises.
Bessmer agrees, since third-party security must be continuously monitored as products and services evolve—and when there is any change in the way data is stored or shared. “If there are changes in an existing vendor, or if they’re adding something new, such as now there's a mobile app that goes with this solution, we will go back and have them relook at the questionnaire. Many questions may be just the same, but there will be some changes.”
For Khawaja, risks that occur when confidential data leaves the organization can be mitigated by requiring every third party to align with the healthcare organization’s data protection standards. Others like Babachicos believe a red flag response should be triggered when there is any change in data storage. “If it was in my data center and now I'm hosting it, there’s a whole new security review that has to happen as well,” Babachicos shared. "It shouldn't just automatically move from here to there without an assessment.”
Cybersecurity will continue to grow as a concern on both sides of the fence—for healthcare organizations providing information and when those same healthcare organizations need to request data from outside sources like subcontractors or business associates.
Current methods of assuring cybersecurity using non-standardized questionnaires and on-site assessments can, at times, cause frustration and expend significant time and resources. By incorporating alternatives into your cybersecurity strategy, such as verification that a third party is appropriately certified and/or using a standard security assessment questionnaire, the process can become more streamlined and help keep your organization, your market suppliers and your patients safe and secure.
December 7–8, 2020 | Digital Conference
Get the latest updates on cyberthreats, explore how to maximize your existing technology investments, hear best practices on creating a security-first culture; take away strategies to fill the gap in finding talented staff and learn how to create a resilient security framework.
Originally published 17 February 2020