The Health 3rd Party Trust Initiative, which comprises a spectrum of healthcare and security organizations such as HITRUST and CORL, offers some recommended best practices in its new blueprint for third-party risk management.
The group says they’ll help healthcare organizations meet the satisfactory assurances requirement under the national health information privacy and security rule.
They could also help covered entities qualify for mitigation from regulatory penalties when there is a third-party data breach, according to Health3PT.
WHY IT MATTERS
According to Health3PT, 55% of healthcare organizations experienced a third-party breach in the past year, with vendor-related security events and breaches of protected health information and personally identifiable information by business associates.
The TPRM vetting process is inherently flawed, according to the covered entities and vendors that participated in Health3PT’s survey, conducted between April and June 2023.
The 59 covered entities and 128 business associates that responded show outdated TPRM approaches, resulting in “inconsistent and unclear risk management outcomes,” Health3PT said.
There’s vendor audit fatigue caused by the mountain of proprietary security questionnaires they receive from healthcare organizations, and then there are covered entities with limited IT resources struggling to keep pace with the volume of responses they receive.
Among the many burdens and inadequacies of the TPRM process, inadequately evaluating partners poses enormous risks to organizations.
John Houston, chief information security officer at UPMC, says the survey results underline the problems the industry has been seeing. For the numerous breaches “fully caused” by third pirates, “it ends up with providers often holding the bag,” he said.
Houston told Healthcare IT News this past week that third parties are becoming “much more adamant about putting limitations on their liability in contracts,” so that they avoid liability when their systems, or their fourth-party tools, such as Fortra’s Go Anywhere, cause a patient data breach.
The Health3PT Recommended Practices & Implementation Guide is intended to create standards for the TPRM ecosystem as well as increase trust by standardizing on validated assurance mechanisms instead of one-off self-attested questionnaires.
To further improve efficiency and effectiveness on both sides, Health3PT also recommends sharing assessment results electronically and driving constant security improvement through continuous monitoring and remediation.
The six recommended practices addressed in Health3PT best practices guide are:
- Concise contract language tying financial terms to a vendor’s transparency, assurance and collaboration on security matters
- Risk tiering strategy that drives the frequency of reviews, the extent of due diligence and the urgency of remediation
- Appropriate, reliable and consistent assurances about the vendor’s security capabilities
- Follow-up through to closure of identified gaps and corrective action plans
- Recurring updates of assurance of the vendor’s security capabilities
- Metrics and reporting on organization-wide vendor risks
Creating standards around inherent risk and third-party vendor tiering in healthcare is also of interest to the government.
In the National Cybersecurity Strategy that the Biden Administration released March 1, the administration calls for shifting liability on entities that fail to take responsibility for vulnerabilities and shift risks to the end-users, like healthcare organizations and patients.
“Smaller organizations are challenged with staffing and affordability,” said Glen Braden, principal, CFO and CIO for Attest Health Care Advisors, noted in the in Health3PT’s statement.
“We embraced the HITRUST standard years ago, and we expect our clients to accept it as well because we don’t have the staff to answer hundreds of separate questionnaires,” he said.
“At the end of the day, it’s about providing reasonable assurance. But we have to be able to do it in a manner that is affordable, that can scale and respond to the needs of our customers.”
THE LARGER TREND
Standards for third-party risk management have been lacking for some time, the issue has just been “which standard are you going to go with as an industry?” said Lorraine Bessmer, a senior cybersecurity analyst at St. Luke’s Health System.
In a 2019 interview with HIMSS, Bessemer said she’d initially thought NIST might have taken it up; she said she hoped that an organizational body “with some clout” would come up with recommendations and update them regularly, “because the threat is always changing.”
ON THE RECORD
“We want to be a united front to third parties,” UPMC’s John Houston told Healthcare IT News. “I think this is a huge part of it – being able to go to the industry and say, ‘This is what we expect of you.’ When a third party has any of our data, this is what we expect.”
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.
