Third-Party Risk Assessment

Tuesday, March 17, 2026  , , ,  

'Healthcare needs a better third-party risk assessment approach'

This was the message I delivered to the HIMSS Global Conference in Las Vegas March 8th through 12th.

Modern Healthcare has become a "whole village” effort. This includes a growing number of third-party vendors, suppliers and partners, each of which provides specific but highly critical functions across healthcare delivery. When one of these third parties is cyber-attacked the repercussions can be alarmingly broad across multiple providers, and at the same time devastating for both patients and providers.

Just look at the impacts that the Synnovis and Change Healthcare attacks have had on patient morbidity and mortality, let alone the financial impact and disruption to providers of healthcare services. The 2024 ransomware attack by a Russian group Qilin, against pathology provider Synnovis, a pathology services provider for the National Health Service (NHS), resulted in the death of at least one patient, a measurable impact on many others, and over 120 cases of low-to-moderate harm, according to NHS data. The financial impact of the UHG Change Healthcare attack by Russian group ALPHV / BlackCat forced the cancellation of procedures following pre-authorization failures and many people to go without their pharmaceutical prescription medications for many weeks - some of which were critical to their survival. The outage which affected a third of US health systems, forced many smaller providers to the edge financially, resulted in the closure of care providers and pharmacies, and had an immeasurable (but unreported) effect on patient morbidity and mortality.

With such broad and devastating impact, critical third party vendors have become an easy high impact target whether the intention is to create leverage for an ransom extortion payment, or to cause disruption to a critical national industry of an another nation.

This serious and now widely exploited vulnerability raises the question of how healthcare delivery organizations should more effectively assess, manage and plan for risks across their vendors, suppliers and partners? Plainly, expecting healthcare providers to risk-assess thousands of individual partners each year is a pipe dream given limited budgets and security resources. And the number is often in the thousands.

We therefore need a different approach, one that places the onus to be secure and compliant upon the third parties themselves, especially where those same third parties provide services to hundreds or thousands of different healthcare providers and where security control objectives are often shared or very similar.

Lack of Visibility

Understanding the scope of the risk surface is the first problem. With distributed purchasing authority, especially in academic medical centers, and legacy auto-renewing contracts, discovering just how many devices, applications, or other systems have access to a hospital's medical network is half of the battle.

One recent audit of a provider after a lengthy review of contracts and legal vendor agreements discovered that the initial number was off by an order of magnitude. The hospital was not only paying each year for services it hadn't used in decades, but the person who agreed to an auto-renewing contract had long since retired and in some cases passed away. Random vendors it seemed, had legacy remote access to hospital networks to maintain and manage leased systems and rather than shut down unknown remote access permissions, security had been told to leave these accounts up and running despite the risks because of uncertainly of cutting off something important.

A Common Risk Assessment

In his presentation, Richard examined the need for common audit and assessment framework across healthcare and the wider scale use of attestation frameworks like SOC2 Type II as an improved indicator of security, compliance, and resiliency across third parties.

"Placing the onus on vendors to prove that they meet or exceed provider security policies and standards, plainly has to be the future, when you have thousands of vendors that need assessing and auditing," he stated.

"But we need a common audit framework to ensure that specified compliance and risk control objectives have been met and have proven to be repeatable, rather than a one-off point in time validation, and we need a trusted audit standard followed by a reputable independent auditor. And that's one of the reasons why I look for an SSAE 18 SOC 2 Type II attestation. That's not to say that an ISO 27001, HITUST or other certification might not be a suitable alternative, but reviewing, mapping and comparing controls objectives takes time. Time that hospital security teams usually don't have!"

Separate Annual Assessments can be Expensive for Vendors

Most healthcare providers share the pool of third party vendors that provide healthcare systems or services for pathology, PACS, EMR, Cardiology, Billing, etc. They also share the same pool of business software vendors - Microsoft, CloudStrike, Cisco, Oracle, AWS, GCP, etc. Each year the healthcare sector loads up many of these vendors with the exact same audit questions to assess and validate security risk and compliance. That can be a massive hit upon those that don't have a current SOC 2 ready to send.

While some third parties have made the move to SOC 2s, other have yet to do so. Plainly they need to do so if they want to maintain staff sanity as audits and assessments ramp up.


Assessment Automation

Audits and assessments can be expensive and very time consuming. Thousands of artifacts to assemble and to match with control objectives, they require a complete project management infrastructure to manage properly to meet compliance dates or for renewal of cyber risk insurance. Most of this is still conducted manually today despite better judgement by audit managers who see their workloads steadily increase each year.

With so many vendors to risk assess each year whether that assessment is conducted by a third party auditor like PwC, KPMG, or Deloitte; or by a hospital security team doing more of the same and expecting more than very minor improvements to workflow and processes, is like re-arranging the deckchairs on the Titanic and expecting a different result. That's why we need better automated audit tools that leverage AI to help drive efficiency, but ones that don't leverage complicated or proprietary frameworks.

New Assessment Tools

Fortunately, new tools are beginning to emerge that support:

•  Automated evidence collection which maps to cross-framework controls

•  AI validation that the correct evidence was uploaded for a specific control

•  The full audit sign-off on the same platform that was used for readiness

•  AI enabled report generation – because who has time to write reports?

•  Full project management with task dependencies

•  SOC 2 AICPA standards for both readiness assessments and final audit

This new generation of tools simplifies and streamlines pre-assessment and audit activities. They reduce the amount of time needed for audits and assessments and streamline workflows while reducing cost and complexity. They are undoubtedly the future, but these improvements need to be paired with better visibility into what connects to medical networks and a focus upon third party vendors to provide a SOC 2 attestation of security controls. Only then will the growing morass of third party risks become more manageable for healthcare regulated entities. Only then will some semblance of normality, availability and safety be restored to the patient community reliant upon their health services.



Subscribe to our periodic posts via email to periodic new posts so you don't miss them.

Original stories and articles may be republished without charge provided that attribution is provided to the source and author. Articles written for, and published first elsewhere, are subject to the republishing terms and conditions of the host site.