By Robert Booker, Chief Strategy Officer, HITRUST
Healthcare organizations rely on complex networks of vendors. Together, healthcare companies and their vendors support care delivery, manage payments for services, and provide a wide variety of operations for the industry and the people they serve. The complexity of the industry, the highly sensitive data and critical systems involved, and the number of third-party vendors needed create a unique and challenging environment for security risks. The greater the dependence on third parties to make healthcare work, the more important it becomes to find real solutions for vendor risk management.
According to a report from SecureLink, the healthcare industry is one of the top targets for cybercriminals, due to the size of the industry and the sensitivity of its data. In 2021, third-party data breaches affected 55% of healthcare organizations, and 65% believed that their IT systems failed to prioritize third-party security. Effective, transparent third-party risk management (TPRM) holds the key to decreasing security risks for healthcare.
But data today suggests that TPRM is broken. Current models are unsustainable and inadequate. They are plagued by a lack of resources and standards.
So, how do we address this? Implement the following three steps to reduce third-party risks:
Start with Reliability
The first step for a better TPRM is to build reliability throughout the healthcare information supply chain. Stakeholders must be able to understand clearly and rely on assurances provided by their vendors. This is essential in establishing high levels of trust and confidence. HITRUST CSF Assessment Reports centralize reporting and review processes in a single program. The HITRUST framework they are built on is transparent and comprehensive. These factors make them the most reliable reports in the industry. Improved reliability leads to greater confidence and more efficient vendor engagements. Transparency encourages reliance on vendors who can demonstrate documented and provable security outcomes.
Drive for Standardization
Standardization refers to following common and understood rules and procedures across the industry. Today, most healthcare organizations have their own approaches to third-party vendor risk management. There is very little standardization. Lack of standardization leads to inefficiencies. It makes it more difficult for organizations to find and select vendors who meet high levels of risk avoidance and security practices. And it opens the door to increased third-party risk.
Healthcare needs a common, unambiguous, comprehensive approach to manage and reduce third-party risk. A clear set of guidelines and best practices, accepted and followed across the industry, will help organizations prevent hazards, mitigate risks, eliminate redundancies, and promote productivity. It will promote better communication between organizations by encouraging simple, widely accepted language and transparency. It will facilitate cooperation, reduce misinterpretation, and enhance interoperability. With the right standards in place, organizations will be able to easily share sensitive information and collaborate.
End with Assurance
Finally, effective TPRM requires assurance. Assurance provides a clear understanding of security maturity by documenting the requirements, standards, and procedures and establishing the needed validation mechanisms to test adherence.
Assurance systems must be based on critical success factors that drive a high-quality, trustworthy assurance report that key stakeholders and regulators can regard with high levels of confidence.
An assurance mechanism must meet four critical success factors:
It must be built on a framework that is readily available and easy to interpret. There can be no mystery in how the controls were selected, evaluated, and scored.
Consistency and standardization go hand in hand. The assurance methodology must be the same for different organizations. Reports must be comparable to assurance reports of other organizations.
Accuracy is achieved through objective, quantitative, and judgment-free results. It is essential to trustworthiness.
Assurance integrity relies on rigor and evaluation methods used by the assessor. Assessors must faithfully collect evidence, verify the proof of implementation, and ensure there is no conflict of interest.
How are Industry Leaders enhancing TPRM?
The healthcare industry recognizes the need for reliable standards in TPRM. Leaders from multiple organizations came together to create the Health 3rd Party Trust (Health3PT) Initiative as a way to improve TPRM and enhance healthcare data security. Health3PT is working to create a practical, effective approach by implementing reliability, standardization, and assurance. Health3PT has reached out to more than 15,000 vendors to reinforce the importance of reliable assurances. It has also established a vendor directory to help organizations easily find the companies they can rely on to safeguard sensitive data.