Written by Taylor Lehmann, Chief Information Security Officer, Wellforce
The patient-care ecosystem is a complex mix of healthcare providers, payers and third-party vendors and business partners. The providers and payers represent a manageable relationship driven by a clear business. The vendor relationship, however, creates a many-to-many web that can quickly get out of hand.
More importantly, third parties include entities where healthcare providers must share private health information with. These can include health information exchanges, accrediting organizations and pharmacies. For these third parties to be successful in the care delivery process, they require access to patient information.
Tracking these relationships and managing the access to information can be daunting. Assessing and then mitigating the risk associated with this access is nearly impossible at scale. Providers must also not lose track of their primary mission—providing the most informed, affordable patient care possible while not jeopardizing the security of the patients’ information or their safety.
Vetting third parties: A long-standing issue that needs to be addressed
Vetting third parties on an on-going basis is a major challenge. In some cases, the effort can prove insurmountable for organizations that don’t have the expertise or resources as new partners are selected, partner contracts are renewed, and when partner roles change.
One of the reasons this issue exists is that the provider community lacks a standard, effective, transparent and scalable method for assessing third-party security postures. Such a method must also be trusted by the provider community with regards to patient and business-related information.
The traditional method based on the BAA does not allow providers to check the reality of third-party security postures; nor can they act to remedy situations if they find something. Sure, top revenue-generating and revenue-dependent vendors might get annual on-site visits, but this model doesn’t scale to hundreds, let alone thousands of vendors.
To tackle the scale issue and transfer some of the responsibility over to—and workload off of—the providers, spreadsheets and questionnaires were introduced. This created an illusion that steps were being made to assess the security posture of supply chains at a much larger scale. However, most third parties generated the answers that providers wanted to hear, and the providers had no means (resource-wise) to check the answers, even if they were 100% accurate.
In recent years, some software vendor offerings were good but lacked the details necessary to assess the specific risks found in the healthcare sector and related operational processes. The vendors’ ability to provide the service or product—and the information that came out of the service or product—was lacking concerning the risk conversation that was needed between the providers and the third-parties.
Top CISOs tackle third-party vetting for the healthcare sector
Given their history in vetting third parties, healthcare CISOs are in a unique position to address the issue. They see the importance of, and the risk within, the third-party supply chain and know how to fix it. They can do so with the support of their peers and a company like HITRUST backing them.
As an example, prominent CISOs from leading health systems recently formed the Provider Third Party Risk Management Council. The council is developing vetting and oversight practices that will benefit health systems, hospitals and other providers around the world. At the same time, the council seeks to avoid transferring the burden to third parties such that this part of the healthcare ecosystem collapses under the weight of the process and resource requirements.
All healthcare providers and third parties will benefit greatly from the standard, which utilizes a common set of information security requirements with standardized assessment and reporting processes. The solution begins and ends with transparent, consistent, and auditable information and communication. It also clarifies what can be expected from third parties who can then organize their information security and data protection processes to minimize the required effort to do business with providers.
Further, the standard will help the entire ecosystem understand the level of information security maintained by all third-party entities. This will eliminate multiple, unnecessary assessments while providing an ‘assess once, report many’ mechanism with providers.
A positive impact on the entire healthcare ecosystem
The main benefactors of the standard developed by the council will be the organizations that define it—the providers. However, if there are limited benefits for the third-party community, the adoption of the standard will also be limited. It is critical that the benefits span both providers and third-parties. To this end, the council will drive toward these mutual benefits:
- For all: reduce the time and resources spent on governing third parties who require PHI.
- For all: maintain access to consistent and complete information security and privacy-related risk information regarding third parties who have access to PHI.
- For third parties: provide a transparent and streamlined method for engaging businesses that reduces complexities and differences in contracting, onboarding, and oversight.
- For third parties: allow them to be assessed, audited once, and able to reuse the HITRUST Certified report to engage businesses—with limited duplication of effort.
- For third parties and providers: effectively monitor third parties to ensure they have met contractual obligations without undue burden.
Ultimately, patients are the most important constituents within this ecosystem. Saving money and improving efficiencies will enable providers and third-party vendors to provide better care. But by embracing the value of an improved security posture throughout the ecosystem, we can protect sensitive patient information. This is an expectation they have of us, and a responsibility we cannot take lightly.
For more information about the Provider Third Party Risk Management Council, visit the Provider TPRM website If you have questions for the council, you can contact them at Info@provider-tprm.org.