Healthcare News & Insights

Healthcare today: Swapping IT assets for vendor risk in a cloud-enabled world

The adoption of cloud computing in the healthcare industry has helped hospitals work more effectively and efficiently. However, it’s also brought to the forefront many new security threats. In this guest post, Kurt Hagerman, cyber strategy CxO advisor at a provider of cybersecurity advisory and assessment services, lays out a holistic approach facilities can take to maintain security when working with a large group of third-party vendors.


The move to the cloud has taken health care by storm for good reasons – healthcare delivery organizations (HDOs), often strapped for cash, time and technical staff, have found relief through myriad cloud solutions that can do anything from providing the perfect billing or health monitoring solution, to data capture, analysis, and even trending over time, leading them to increasingly rely on third-party vendors to support their businesses. The reign of monolithic, internally hosted healthcare applications is fast coming to an end.

While solutions from certain companies will undoubtedly continue to play a significant role, cloud computing has fostered the development of many specialty niche applications that do a better job at their targeted functions than the broader applications do. Today, some large HDOs and health plans have relationships with thousands of business associates (BAs), making the task of ensuring the security of their PHI across all these vendors challenging at best.

The HDO risk profile has shifted dramatically. While this move to the cloud relieves the HDO of much of the burden of on-premise IT hosting, monitoring, management and security, diligent organizations are realizing they need to shift their attention to the complexity of the third-party environments, requiring a new model to safeguard patient data. No longer can their risk management programs only regard their own systems and staff. Today, they must be concerned with these, as well as the risk third-party vendors pose as they share PHI with, between, and among them and their employees. In other words, they must take a holistic approach to a more expansive, third-party-inclusive security landscape.

Many HDOs are ill prepared to deal with this shift, lacking mature security programs and even basic vendor management programs. Consider the challenge of ensuring every BA with whom you do business is managing their own security program in accordance with HIPAA and their own requirements. An HDO with 500 business associates would have to conduct nearly two vendor security assessments every day of the year. This is simply not feasible for any HDO.

So how are they handling it?

Many have turned to using third-party attestations and certifications to shoulder a large part of the burden. By requiring that their business associates obtain one or more third-party security certifications, they can show they’re doing something to manage the risk.

Is this enough?

Unfortunately, relying on these types of validations may not be adequate to ensure that your protected health information (PHI) is being properly secured. First, not all third-party validations are equal when it comes to evaluating a vendor’s security program. Some, like ISO 27001 and even SOC 2, are more concerned with policies and processes, and don’t dive as deep into the technical implementations and operations.

Second, processing PHI often requires the cooperation of multiple BAs and results in your organization’s PHI being passed between many partners to accomplish your goals. Additionally, many BAs are themselves relying on other third parties to provide their services. We can see how the web of connections quickly becomes nearly impossible to trace.

To effectively manage third-party vendors, organizations should:

  • establish a master list of all vendors, including the service(s) they provide
  • map the data each has access to and its criticality to the organization
  • understand how they access the data
  • discover the dependencies of each vendor on your other vendors, and
  • establish which outside vendors each uses to provide their services.

Organizations should build a vendor rating system that allows them to group vendors based on the risk they pose to the organization. Factors to consider in building this system include: the type, criticality, amount and access methods to the data each category has access to, and then apply a set of security requirements for each ranking that you believe addresses the risks each ranking poses to the organization. These requirements can include the type of third-party certifications that are acceptable, additional risk and security questions you require a vendor to answer, and what type of audit requirements you will place on them. Then, this third-party management program must be folded into a comprehensive security program that spans all security strategies and activities across the healthcare organization, understanding how these elements interlock.

For business associates, providing transparency to certifications and other industry standard security documentation offers great opportunity to differentiate themselves from other providers. Proactive steps they can take include:

  • make all third-party attestations available
  • complete and provide standard industry forms, such as the SIG and CSA CAIQ
  • publish responsibility matrices for each third-party attestation
  • publish clear guidelines for how to properly and securely use the services you provide, and
  • make security and compliance staff available to customers and prospects.

The more these vendors can do, the easier HDOs will find the vendor management process and the more comfortable HDOs will be with the risk the vendor poses to them.

Kurt Hagerman is a CxO advisor, cyber strategy at Coalfire, a provider of cybersecurity advisory and assessment services. In this role he provides strategic cybersecurity advisory services in support of C-level executives across multiple industry verticals with a specialization in cloud security strategy. 







Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind