Healthcare delivery organizations (HDOs) rely heavily on third-party vendors for everything from medical device management and supply chain vendors to data centers and software platforms. Without these essential vendors, HDOs would struggle to manage and maintain critical elements that allow them to deliver high quality patient care.
But with so many different vendor relationships also comes an introduction of third-party risk, especially with those vendors who must gain access to your network in order to fulfill their contractual obligations. Bad actors who gain access to your network can seriously endanger sensitive data and critical operations. Therefore, every HDO that works with third-party vendors must have strict policies in place when access to the network is essential for the vendor’s operations.
Learn the most important steps to developing a clear policy for allowing access to your network, aligning your organization’s governance with vendor policies, and negotiating contracts that allow your organization to maintain control and identity of any vendor on your network.
The Impact of Third-Party Risk in Healthcare
Third-party vendors are essential partners in HDOs because they provide services and products that healthcare organizations are not able to produce in-house. With limited budgets and resources, third-party vendors step in to deliver services that enhance the safety and efficacy of operations and ensure that HDOs are able to keep patient care top of mind. However, third-party’s introduce the possibility of data breaches or cyber attacks, whether the vendor knowingly or unknowingly introduces the risk.
In the instance of Trinity Health’s 2020 and 2021 third-party data breaches, ransomware and cyber attacks on two different software vendors led to millions of patient records and protected health information (PHI) to be compromised. Nearly every hospital in the country was impacted by the ransomware attack on United HealthGroup’s subsidiary Change Healthcare, leading to a complete shutdown on Change Healthcare operations and impacting patients trying to access critical care.
Data breaches and cyber attacks that result from third-party vendors are extremely costly, delay critical business functions, and impact patient care. Developing strict policies for how you allow third-party vendors to access your network is the very first step to protecting your healthcare organization.
How to Address Potential Third-Party Risks
Prioritize Identity and Control
Healthcare organizations maintain full accountability for their healthcare cybersecurity, including the network, devices, and cyber-physical systems (CPS). In order to maintain accountability for the vendors you allow to access your network, it’s essential to maintain control over identity and access. Anytime a vendor accesses your network, your organization must have full visibility over who they are, what they are doing and why, when they have access and from where. Without full visibility and identity, it’s impossible to fully protect your environment, or in the worst possible scenario, retroactively determine where a breach or cyberattack originated from.
Maintaining identity is particularly important for remote access. Every vendor will have their own internal processes and policies for providing remote access, including their own service providers. If a vendor’s internal solution for accessing your network remotely does not meet your standards for protecting your environment and maintaining identity and control, then it’s essential to bridge the divide and find a solution that balances granting access with protecting your organization.
Practical steps for maintaining identity and control on your network include:
Limiting access or giving escorted access and recording it through a secure remote access tool.
Perform a thorough security assessment of all vendors before contracting them.
Develop defined credentials they must use in order to access the network.
Employ an identity solution.
Maintain a strong perimeter that provides visibility into who accessed what, at what time, and why.
Create a non-employee identity system that can be used as the credential for vendors.
Maintain Governance
Healthcare organizations are bound to strict regulations and policies, both internally and externally enforced. U.S. Federal regulations like HIPAA access control standards demand that HDOs must be able to uniquely identify anyone on your network who has the ability to access patient health information (PHI). If your organization isn’t able to do this with each and every third-party vendor who accesses your network, then you are out of compliance.
In addition to government regulations, it’s essential that your organization develop internal policies and governance for how you will secure your network and protect it from third-party risk. Develop standards that can be adopted and maintained for everyone in your organization.
Key steps to maintaining governance of third-party access policy include:
Educating all staff members and third-party vendors who come into contact with access to the network.
Defining processes that fit both internal policies and external regulations.
Using technology to restrict or administer access in line with defined policies.
Maintaining an accurate inventory of assets and applications so you have full visibility into what needs to be protected.
Work in partnership with vendors to ensure compliance with federal regulations and internal policies.
Integrate Policy in Contract Negotiations
Not all third-party vendors understand the high standards of accountability healthcare organizations are held to, which is why HDOs should consider working strict accountability into vendor contracts to ensure vendors are taking responsibility for all of their actions and working within the parameters of your organization’s policies.
Without specific language in your vendor contracts, you’re relying on the governance that vendors determine for themselves to take accountability for their own systems if something goes wrong. This accountability may not fit the same level of accountability your organization would prefer a vendor to take. Contract discussions are always difficult, but taking the time to agree on a mutually beneficial level of accountability can save your organization in the long run. After all, it’s your HDO that has the highest level of accountability to auditors should a cyber incident take place.
Some things to consider in relation to defining accountability in vendor contracts include:
Don’t allow vendors to perform work for you without auditing, monitoring, controls, identity proof, or proper authorization.
Consider cost factors from a security standpoint. While it may be more convenient or cost effective to allow remote access, if a vendor is unable to meet your security demands then it may be more risk-averse to bring them on site to perform the work and maintain control.
In contract negotiations, use all the tools at your disposal to advocate for procedures that are in line with the regulations you must comply with and the policies your organization has developed.
Protect Your CPS from Third-Party Risk
Balancing relationships with third-party vendors is challenging for any healthcare organization, but adding in the need to protect your network and CPS from third-party risk adds another layer of complexity. The stakes are high and warrant carefully considered, proactive steps to secure your network from any vendor who can access it from doing harm.
Any secure access solution utilized to manage third-party risk in healthcare environments should deliver the following outcomes:
Increase Productivity: Third-party vendors need access to efficiently complete their work, leading to better patient outcomes, faster issue resolution, and improved Mean Time-to-Repair (MTTR).
Reduce Risk: The right solution is able to achieve access while employing strong security controls that will reduce risks, like unauthorized access and identity risks.
Reduce Complexity: Ideally secure access should be granted seamlessly without several complex steps. The best solution is scalable and offers access both in the cloud and on-premesis.
If your organization’s policies about managing third-party risk could be enhanced or you’ve identified opportunities to strengthen accountability in vendor contracts, the time to act is sooner rather than later.
To learn more about risk management, Claroty xDome, or Healthcare Secure Access, speak to a member of our team today.
