8 Steps to Reduce Third-Party Risk in Healthcare

The healthcare industry faces a rapidly escalating threat of cyberattacks originating from their vendor relationships. The rapid adoption of electronic health records to digitize patient information, the adoption of Internet of Things (IoT) devices like fitness trackers and pacemakers, and reliance on business associates for critical functions make the issue even more acute. Healthcare organizations are likely to face more risks from rapid technological and business relationship change, which are only going to increase.

Several recent high-profile breaches vividly illustrate this risk, such as the American Medical Collection Agency (AMCA) and HCA Healthcare incidents, where inadequate security controls among business associates led to the compromise of millions of patient records.

Despite established regulations like HIPAA and risk management frameworks like NIST SP 800-66, healthcare organizations continue to grapple with third-party breaches, resulting in substantial fines and regulatory scrutiny. Additionally, modern healthcare security and risk management teams face complex TPRM challenges, such as siloed vendor information and insufficient assessment methods.

In this post, we’ll cover the 8 steps that healthcare organizations should take to identify, manage, and reduce third-party business associate risks. Additionally, we’ll review the potential outcomes of implementing a proactive and process-driven approach to healthcare security and TPRM.

8 Steps to Put Third-Party Risk on a Path to Better Health

There are clear steps organizations should take to identify, manage, and reduce business associate risks. These steps will help your organization be more proactive in its business associate risk management program across the vendor lifecycle.

1. Build Risk Management Requirements into Business Associate Contracts

To proactively enhance your healthcare third-party risk management (TPRM) program, automate the contract lifecycle. This ensures the enforcement and tracking of crucial data security and privacy clauses right from the start. By adopting an automated contract lifecycle management approach, you guarantee that the business associate’s contract explicitly outlines responsibilities and right-to-audit clauses. Additionally, this approach facilitates the tracking and management of service level agreements (SLAs), key performance indicators (KPIs), and key risk indicators (KRIs) in a streamlined manner. An important consideration to make at this step is ensuring that your contract lifecycle management capabilities are fully integrated with your third-party risk management platform. That way, you have seamless management of vendors from contracting through risk assessment, and all internal parties can view and manage contracts and risks according to their roles.

2. Develop a Centralized Inventory of All Third Parties

Centralize your inventory of third-party vendors and suppliers for effective governance in healthcare business associate risk management, minimizing the risk of unauthorized vendor relationships impacting your IT operations. Conduct vendor inventory in a centralized system – not spreadsheets – so that multiple internal teams can participate in vendor management and the process can be automated for everyone’s benefit.

Start by importing vendors into a third-party risk management solution through a spreadsheet template or API connection to your existing procurement system. Empower enterprise teams to input key supplier details seamlessly using a centralized and customizable intake form with an associated approval workflow. This user-friendly capability is accessible via email invitation, requiring no specialized training.

As all service providers are consolidated, create comprehensive profiles containing a business associate’s demographic information, fourth-party technologies, ESG scores, recent business insights, reputational details, data breach history, and financial performance. This centralized approach enhances risk awareness across the enterprise and provides procurement teams with valuable context for informed sourcing and selection decisions. This approach has the added benefit of saving costs by the organization no longer having to maintain discrete systems providing data in siloes.

3. Build a Map of Business Associates to Determine Technology Concentration Risk

During the inventory-building process, pinpoint fourth-party technologies within your business associate ecosystem to uncover additional relationships that might pose concentration risks to your organization. This step is crucial for visualizing potential attack paths that adversaries could exploit to target your enterprise, enabling proactive mitigation or remediation of vulnerabilities. Achieve this through targeted assessments or passive scanning.

For instance, if you have a map of business associates using a compromised software tool, you can prioritize vendors for assessment, particularly focusing on top-tier or business-critical ones. This prioritization ensures that any potential malware exposure is thoroughly evaluated, with a strategic emphasis on vendors whose operational disruptions could have a more pronounced impact on your organization.

4. Conduct a Detailed Inherent Risk Assessment to Prioritize Business Associates

Once business associates are centralized and mapped, conduct inherent risk scoring assessments. Criteria used to calculate inherent risk includes:

• Type of content required to validate controls (e.g., data privacy, financial solvency, etc.)
• Location(s) and related legal or regulatory considerations (e.g., GDPR, HIPAA, etc.)
• Criticality to business performance and operations
• Exposure to operational or patient-facing processes
• Interaction with protected health data
• Level of reliance on fourth parties
• Financial status and health
• Reputation

From this inherent risk assessment, your team can automatically tier suppliers, set appropriate levels of further diligence, and determine the scope of ongoing assessments according to the risks they pose to your business.

5. Assess Business Associate Resilience and Continuity Plans

As part of your regular security and data privacy due diligence process, also assess business associates using targeted vendor risk questionnaires that align with known industry standards for supply chain security, such as NIST 800-161 and ISO 27036. Results from these assessments will help you target needed remediations. Opt for solutions that offer workflow automation, comprehensive review and analysis, support for evidence management, and built-in remediation recommendations to address security gaps efficiently.

During the assessment process, mandate software vendors to produce a software bill of materials (SBOM). SBOMs not only detail the components that make up a piece of software but can also explain the quality assurance (QA) and security assessment processes utilized during the software development process. This will come in handy during the incident response process described in step 7 below.

6. Continuously Monitor Business Associates for Cyber-Attacks

Proactively managing business associate risks means being continuously vigilant for the next attack – and that requires your team to look for signals of an impending security incident. Key areas to monitor include criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/ breach databases.

To streamline this process, consider adopting solutions that consolidate insights across all risks and present them enterprise-wide. This consolidated approach facilitates correlating monitoring data with assessment results and establishes a unified risk register for each vendor. This integration enhances the efficiency of risk review, reporting, and response initiatives while reducing costs by eliminating redundant software licenses.

Additionally, ensure the integration of third-party operational, reputational, and financial data into business associate monitoring. This inclusion provides context to cyber findings and enables the measurement of the business impact of incidents over time.

7. Test Your Third-Party Incident Response Plan

Automating incident response is key to reducing mean time to detect (MTTD) and mean time to respond (MTTR), which can reduce the impact of third-party incidents on your operations. Consider taking these steps toward a more proactive third-party incident response model:

• Leverage a centralized event and incident management questionnaire to reduce response times and simplify and standardize assessments
• Track questionnaire completion progress in real-time to reduce the potential for impact
• Enable business associates to proactively self-report on incidents to add context and speed response times
• Use workflow rules to trigger automated playbooks to act on risks according to their potential impact on the business
• Issue remediation guidance to vendors, helping them to work toward an acceptable level of risk to your organization

By centralizing third-party incident response into a single enterprise incident management process, your IT, security, legal, privacy, and compliance teams can effectively work together to mitigate risks.

8. Consider the Risks of Offboarded Business Associates

Business associates that no longer work with your organization can still present significant risks – if they were not offboarded properly. Be proactive and create offboarding procedures to reduce your organization’s risk of post-contract exposure.

Key steps to take include:

• Schedule tasks to review contracts to ensure all obligations have been met, and use customizable contract assessments to evaluate status
• Leverage customizable surveys and workflows to report on system access, data destruction, access management, compliance with all relevant laws, and final payments
• Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs, and contracts
• Enforce remediations where necessary to protect the company
• Visualize and address any remaining compliance requirements by automatically mapping assessment results to existing regulations or frameworks

Be sure to use tried and tested offboarding checklists to ensure all tasks are addressed according to your organization’s risk management priorities.