By Michael Parisi, Vice President, Business Development & Adoption, HITRUST
Breaches, ransomware, and other cybersecurity attacks are often introduced through third-party vulnerabilities. Underscoring this high degree of risk, the Ponemon Institute reports, “Over half of organizations have experienced a data breach caused by third parties that led to the misuse of sensitive or confidential information.”
All vendors are considered third parties, but not all third parties are vendors. Third parties can be any partner with whom your organization exchanges data or shares network connectivity – including through internet portals. Third-Party Risk Management has always been challenging in healthcare and is even more difficult now with an ever-increasing level of information security threats, along with the added demands caused by COVID-19.
“Over half of organizations have experienced
a data breach caused by third parties.”
Source: “A Crisis in Third-Party Remote Access Security,” 2021 report conducted by the Ponemon Institute
COVID-19 Conditions May Have Increased Risk Exposure
As unprecedented events unfolded in response to the pandemic, healthcare organizations took extraordinary measures to serve their communities by quickly ordering test kits, treatment materials, medical supplies, personal protective equipment, and more. In many cases, these urgent demands forced short-circuiting the usual, more thorough third-party vetting and evaluation processes. In addition, requirements to capture, store, communicate, and report both patient and business operations information – sometimes to and from temporary remote locations such as parking lot tents – added an unprecedented layer of complexity and vulnerability to third-party information security and management. The proliferation of TeleMedicine collaboration through virtual networking introduced yet another risk factor where shared data could be compromised.
Because vendors were fast-tracked during a time of need and PHI sharing started happening in new ways, healthcare supply chain ecosystems may now include business partner vulnerabilities that pose residual threats that organizations do not even realize are present. The most prudent approach today is for healthcare organizations to look closely at the current risk profile of all their third-party relationships.
Proactively Addressing the Current State of Third-Party Risk Management
Protecting sensitive patient data requires close teamwork because of the mutual dependencies between large hospitals, smaller care facilities, physicians, and other care specialists, as well as pharmacies, medical suppliers, and supply chain partners. Because of this heavy collaboration, healthcare professionals must provide quality information protection assurances to each other to safely conduct business.
Now that healthcare is slowly returning to a more normal state of operations, it is an ideal time to go back and identify, assess, and manage third-party risk – some of which may have been introduced during the early days of the pandemic. This proactive process includes understanding the inherent risks associated with third-party relationships and obtaining appropriate, comprehensive, and transparent assurances that address those risks. In fact, under the HIPAA Omnibus Rule, some of the Privacy Rule and all of the Security Rule enforcement now apply directly to Business Associates and their subcontractors. This increase in shared breach requirements and compliance reviews means that Covered Entities have ongoing responsibilities to review Business Associate compliance and include appropriate liability protections in their third-party agreements.
Solidifying TPRM Programs Adds Immediate and Long-Term Benefits
Enhancing information risk management programs is a responsible and fiscally sound strategy. According to the HIPAA Journal, based on an IBM Security report published in 2019, the average cost of a data breach in the healthcare sector is $6.45 million, the highest cost of any industry. Using the latest industry best practices to address and manage information exchange within and between third parties reduces threats, adds peace of mind, and establishes a solid foundation for the future. With a strong third-party risk management program in place, it is far easier to perform due diligence activities and more confidently add vendors, suppliers, and business partners going forward.
Introducing… The HITRUST Assessment XChange
Whether your TPRM is part of an existing Governance Risk Compliance program or operates as a stand-alone function, chances are you can use additional resources to help ensure that business partners are not adding risk into your data management systems, and to identify current risk levels of which you may not be aware. The HITRUST Assessment XChange™ (The XChange) is a managed service offering designed to augment, complement, and extend an organization’s risk management program. Under your guidance, the XChange team will assume much of the administrative burden of working with your third-party network to evaluate levels of risk and obtain the appropriate levels of assurances. By relying on the HITRUST Assessment XChange to streamline and simplify third-party risk management tasks, your risk management team will have far more time to devote to more strategic activities.
To further explore strategies that cost-effectively enhance Third-Party Risk Management programs, visit HITRUST Booth #7401 at the HIMSS Global Health Conference & Exhibition in Las Vegas, August 9-13th.
For more information about HITRUST Assessment XChange, or any of the HITRUST information protection solutions – Call: 214-618-9300 or Email: email@example.com.
About the Author
Michael Parisi, Vice President of Business Development & Adoption, HITRUST
Michael Parisi has led over 500 controls-related engagements and has extensive experience with third-party assurance reporting including HITRUST readiness, HITRUST certification, SOC 1, SOC 2, SOC 3, Agreed Upon Procedure, and customized AT-101 engagements. Michael is deeply involved with helping customers leverage the advantages of the HITRUST Assessment XChange for third parties. He has extensive knowledge of financial reporting and regulatory standards through his external audit and consulting experience, including Sarbanes Oxley, HIPAA, NIST, CMS, and state-specific standards. He is an active member of ISACA and IAPP.