By Britton Burton, Senior Director of Product Strategy at CORL Technologies, and Ryan Patrick, Vice President of Adoption at HITRUST
HITRUST and CORL Technologies (CORL) specialize in delivering cybersecurity assurance products and services for the healthcare industry including Third-Party Risk Management (TPRM) programs. We have had the privilege of working closely with many of the nation’s premier healthcare organizations. Our companies have been listening attentively to our clients and colleagues and one message has come across loud and clear: TPRM is broken and we need to collaborate as an industry to fix it.
This blog provides a summary of the feedback and perspectives from cybersecurity and risk leaders charged with managing healthcare TPRM programs. Our goal is to surface the primary obstacles facing TPRM programs and set the stage for further collaboration around leading practices and standards for TPRM success in the months and years to come.
Challenge #1: We Are Overwhelmed
As healthcare organizations continue to expand their reliance on third parties for critical business functions, the sheer volume of digital health technologies supporting the healthcare ecosystem has created a chokepoint for security teams to vet vendors during the procurement process. Accurate and thorough due diligence takes time when using standard questionnaire-based vendor assessment models.
Requests for due diligence assessments are coming in faster than we can manage, creating a backlog for inbound assessments and leaving our internal business owners highly dissatisfied. On top of that, we know we need to reassess critical vendors in our portfolio over time as their technology changes and threats evolve, but we can’t get our heads above water to begin to tackle reassessments any time soon.
Vendors in the supply chain are equally overwhelmed. Every prospective customer requires some form of security due diligence that stands in the way of closing deals and getting down to business. Questionnaires are inconsistent from customer to customer and there is a high variance of expectations across healthcare entities. The goal posts keep moving and vendors are inundated with more security audits than their finite resources and teams can deliver in a timely fashion. This leaves customers highly dissatisfied and introduces risks for the ability to close deals.
On top of all this, companies often find themselves as both a client and a vendor in the healthcare ecosystem. That means most of us are overwhelmed on both sides of the equation: managing our own third-party risk and responding to inquiries by clients to manage their third-party risk.
Challenge #2: We Have Blind Spots on Vendor Risks
While all healthcare organizations acknowledge that we are obligated to scrutinize our third-party providers from a risk management and compliance perspective, our vendor risk assessments cover only a small fraction of our full vendor portfolio. We have had trouble accurately identifying all vendors that service our organization. For those vendors that we do know about, we have had to prioritize assessments for our mission-critical vendors and those that present the highest inherent risks to our organization.
This leaves hundreds of vendors that have not been recently assessed for cyber risks and creates gaping blind spots for our visibility into risks to our patient data and systems across the enterprise.
The emergence of vulnerabilities and breaches in fourth-party products and services including prominent examples such as Log4j, SolarWinds, and Okta have left us unable to identify which of our third-party vendors have been impacted. Our third-party vendors do not maintain accurate inventories of their own supply chain products which in turn means that both we and our third-party vendors are blind to the potential exposures of our critical data and applications.
While advances in tools like CAASM, CSPM and EASM offer exciting possibilities, no single technology or tool can solve our risk blind spot problem.
Challenge #3: There is Limited Follow Through on Remediation of Identified Risks and Very Little Continuous Monitoring
Our teams have limited bandwidth to continually follow up and track remediation of risks identified in vendor assessments. This means that we are surfacing vendor risks to our business stakeholders to help them make informed decisions, but we aren’t doing enough to validate that our vendors are closing the security gaps we identify over time.
This leaves us with a default position of accepting far more risks than we would prefer rather than mitigating or reducing risks across our vendor portfolio. And even when we can track critical risks from identification to full remediation, we struggle to accurately report and articulate the reduction in risk that our efforts provided.
Compounding this issue, continuous monitoring of third-party risk is virtually non-existent in the healthcare industry. We know that ensuring vendor security programs continue to function after our initial assessment is critical to protecting our organizations and their sensitive data. However, pointing back to challenge #1, we are so overwhelmed with new vendor intake, that we fail to continuously monitor the security posture of our vendors after the initial contracting cycle ends.
Challenge #4: TPRM Solution Offerings are Incomplete
There are a slew of TPRM technologies on the market that are helping to accelerate communication and reporting around vendor risk management. Examples include questionnaire automation tools, Governance Risk and Compliance (GRC) platforms, cyber risk scorecard solutions, digital workflow management tools, and more.
These automation tools are helping us with some aspects of the problem like speeding up the collection of risk data from the vendor. However, these automation solutions often produce noisy risk reporting that is difficult for stakeholders to understand. More importantly, these tools do not meet the final objective of obtaining validated, trusted risk intelligence on vendors and driving them to remediate and eliminate their risk exposures.
Point solutions for TPRM also often operate independently from other TPRM tools and processes and do not communicate effectively to support a reporting of a complete risk posture for the vendor. Some of these solutions, including cyber risk scores, provide external indicators of a vendor’s security posture, however, they do not provide the risk intel we need on the vendor’s specific products and services that are in-scope for our own implementations. This provides us with only a partial view of the vendor’s risk posture as it relates to our organization.
Challenge #5: There is No Defined “Gold Standard” for TPRM Programs
When speaking with peers in the industry about their TPRM programs, it becomes evident that there is no “typical” process for healthcare TPRM functions. TPRM programs vary greatly in design and implementation depending on organizational maturity, prioritization, staffing, budget, and many other factors.
Some organizations rely heavily upon TPRM tech solutions or validated assessments like HITRUST and SOC 2 to inform vendor risk decisions, while others are questionnaire-centric and heavily dependent on manual audit processes. Yet other programs will outsource part or all of their TPRM programs to third-party TPRM solution providers.
Healthcare risk leaders also have varying interpretations and models for defining the inherent risk of vendors. This leads to vendors being held to different standards of criticality from organization to organization. For example, some organizations define the criticality of the vendor based on the vendor’s size or the organization’s spending with the vendor, while others define criticality based on the volume of sensitive information (e.g. ePHI) maintained by the vendor. These are just examples; it seems like every healthcare organization has its own inherent risk paradigm.
Reporting of vendor risks is often incomplete and limited to highly-technical audit results on a vendor-by-vendor basis. Few TPRM programs are able to report risks across the entire vendor portfolio in a way that both technical and non-technical stakeholders in the business can understand.
This lack of consistency in healthcare TPRM programs also leaves vendors in the impossible position of trying to satisfy all customer expectations.
Challenge #6: Insufficient Adoption Certifications and Assurance Models
Healthcare leaders can’t seem to agree on which certifications and assurance models are sufficient for vendors to demonstrate compliance with security expectations. For example, many healthcare entities promote and require HITRUST assurance including certifications while others will accept SOC 2 attestations or other industry assurance models.
Yet other TPRM programs neither require nor promote any assurance or certification models and instead rely on heavily manual questionnaire-based assessments that drive inefficiencies and costs for all parties involved.
Challenge #7: Inability to Satisfy all Stakeholders
The internal politics of multiple stakeholders with competing priorities has proven to be an obstacle for successful TPRM. Organizations often struggle to simultaneously address the needs of the business owners who want to onboard a third-party to meet a business need, the CISO who is focused on the security risk a third-party presents, the procurement team who wants to follow their established process, and others, like the CFO, who may be cost conscious.
This organizational complexity tends to result in security risk management being deprioritized. We must find a way to effectively collaborate with ALL internal stakeholders and do a better job enabling the business, or we will always be ineffective at managing third-party risk.
We have all heard the saying, “if it ain’t broke then don’t fix it”. Well, it’s become abundantly clear that TPRM is broken in healthcare and we all need to work together to fix it. The current models are unsustainable and inadequate to meet the evolving threat landscape facing our industry.
HITRUST and CORL are committed to bringing industry leaders together to create the catalyst for change that is needed in the TPRM space in healthcare.
- We envision a future where TPRM programs provide standardized, efficient, and cost-effective evaluation and reduction of vendor and supply chain risks.
- We believe in creating norms around inherent risk and vendor tiering in the TPRM ecosystem.
- We believe there is immense value in the inherited trust the industry can provide through rigorous third-party assurance mechanisms.
- We believe that pushing the industry towards the concept of healthy security program indicators and focusing on cyber resiliency is a rising tide that lifts all boats.
- We believe that it is far better for cybersecurity risk managers to understand some risk for all of their vendors than to have a deep risk understanding of a small percentage of their vendors.
- We believe in the value of driving constant security improvement through continuous monitoring and remediation.
- We believe in changing the conversation about third-party cybersecurity risk from one that is deeply technical and confusing to one that is easily understood by business and clinical leaders.
- We believe that all of us – healthcare providers and payors, third party vendors, and cybersecurity professionals – must collaborate to create a better way forward
In short, we believe there is a better way. TPRM is broken, but CORL and HITRUST are going to work together with our healthcare industry partners, on the vendor side and the healthcare organization side, to fix it.
We look forward to continued dialog and plan on launching proactive initiatives to engage the healthcare TPRM community to carve a better path forward together as an industry. Stay tuned for more updates as we look to continue to make additional investments toward these worthy and necessary objectives.
We are up for the challenge. Are you?
About CORL Technologies
CORL is a service-centered solution for vendor risk management, compliance, and governance that is 100% focused on the unique needs of the healthcare space. Driven by the belief that third-party vendor risk should be about business acceleration and not business prevention, we are the only platform and partner on the market to enable the velocity and validation needed for healthcare organizations to simultaneously achieve their digital goals and contain their digital risks.
About the Authors
Ryan Patrick, Vice President, Adoption HITRUST
Ryan Patrick brings over 20 years’ experience in security and information technology. Prior to joining HITRUST, Ryan served as the Senior Vice President of Security for Intraprise Health. Working within organizations like MetLife and Memorial Sloan-Kettering Cancer Center as a security analyst, Ryan has gained a wealth of experience conducting risk assessments against HIPAA, ISO 27001, NIST 800-53 and PCI-DSS. He is a retired Colonel in the United States Army, holds a CISSP, a Masters of Strategic Studies from the U.S. Army War College, and an MBA from Norwich University.
Ryan served as the Executive Director for the Tampa Warriors Hockey Program for 2.5 years a disabled veteran non-profit organization focused reducing veteran suicide in the US. He currently serves on the Board of the Girls, Inc of Pinellas Park.
Britton Burton, Senior Director of Product Strategy CORL Technologies
Britton is a cybersecurity and risk management practitioner with over a decade of experience designing and leading security programs and teams in the healthcare setting. Prior to joining CORL, he served as Director of Risk Management at HCA Healthcare. In that role, Britton was responsible for a from-scratch rebuild of the security risk program that covered the entire portfolio of businesses under the HCA umbrella. He executed against the strategic vision to make risk visible, facilitate well-informed decision making, and drive accountability across the organization by implementing a risk framework, developing operational processes and GRC tools, and using data analytics and BI visualization. Prior to his national role, Britton served as the Director of Information Security in Kansas City for HCAs MidAmerica Division where he led TPRM, risk management, Incident Response, and Disaster Recovery efforts for the division.