'Healthcare needs a better third-party risk assessment approach'
This was the message I delivered to the HIMSS Global Conference in Las Vegas March 8th through 12th.Modern Healthcare has become a "whole village” effort. This includes a growing number of third-party vendors, suppliers and partners, each of which provides specific but highly critical functions across healthcare delivery. When one of these third parties is cyber-attacked the repercussions can be alarmingly broad across multiple providers, and at the same time devastating for both patients and providers.
Just look at the impacts that the Synnovis and Change Healthcare attacks have had on patient morbidity and mortality, let alone the financial impact and disruption to providers of healthcare services. The 2024 ransomware attack by a Russian group Qilin, against UK pathology provider Synnovis, a partnership with two of London's largest National Health Service (NHS) Trusts, resulted in the death of at least one patient, a measurable impact on many others, and over 120 cases of low-to-moderate harm, according to NHS data. The financial impact of the UHG Change Healthcare attack by Russian group ALPHV / BlackCat forced the cancellation of procedures following pre-authorization failures and many people to go without their pharmaceutical prescription medications for many weeks - some of which were critical to their survival. The outage which affected a third of US health systems, forced many smaller providers to the edge financially, resulted in the closure of care providers and pharmacies, and had an immeasurable (largely unreported) effect on patient morbidity and mortality.
With such broad and devastating impact, critical third party vendors have become an easy high impact target whether the intention is to create leverage for an ransom extortion payment, or to cause disruption to a critical national industry of an another nation.
This serious and now widely exploited vulnerability raises the question of how healthcare delivery organizations should more effectively assess, manage and plan for risks across their vendors, suppliers and partners? Plainly, expecting healthcare providers to risk-assess thousands of individual partners each year is a pipe dream given limited budgets and security resources. And the number of third parties is often in the thousands.
We therefore need a different approach, one that places the onus to be secure and compliant upon the third parties themselves, especially where those same third parties provide services to hundreds or thousands of different healthcare providers and where security control objectives are often shared or very similar.
Lack of Visibility
Understanding the scope of the risk surface is the first problem. With distributed purchasing authority, especially in academic medical centers, and legacy auto-renewing contracts, discovering just how many devices, applications, or other systems have access to a hospital's medical network is half of the battle.One recent audit of a provider after a lengthy review of contracts and legal vendor agreements, discovered that the hospital's initial number was off by an order of magnitude. The provider was not only paying each year for services it hadn't used in decades, but the person who agreed to an auto-renewing contract had long since retired and in some cases had passed away. Random vendors it seemed, had legacy remote access to hospital networks to maintain and manage leased systems, and rather than shut down unknown remote access permissions, security had been told to leave these accounts up and running despite the risks, because of uncertainly of cutting off something important.
A Common Risk Assessment
In his presentation, Richard examined the need to better assess healthcare third parties, whether HIPAA Business Associates or simple business partners and suppliers."Right now" he claimed, "we have things backwards with payers and providers expected to assess each of their vendors. This is not only impractical given the numbers, but also prohibitively expensive in time and resources. We need to squarely place the onus on vendors to prove that they meet or exceed payer and provider security policies and standards. Not the other way around."
"We do this by having our vendors bring us proof that they meet OUR security requirements in the form of a SOC 2 Type II attestation from a reputable auditor, or an ISO27001 or HITRUST certification, where the control objectives can be easily mapped to OUR risk and compliance requirements."
"This requires third parties to get onboard with a set of standardized common security controls under a recognized audit framework to validate that common security compliance and risk control objectives have been met and have proven to be repeatable, rather than a one-off point-in-time validation. And repeatability is critical here", he added. "Just look at some of the third party breaches and how they followed a recent point-in-time assessment."
Some vendors will be ISO 27001 certified, others may have shelled out for HITRUST, but neither are cheap. Some of these compliance requirements however, may need to be cross-mapped to a payer or provider's specific risk assessment objectives. For others, an SSAE 18 SOC 2 Type II attestation may be easier and more feasible, while larger third parties like Microsoft or Cisco will readily have both ISO and SOC 2s available for their customers.
Perhaps the biggest argument for a SOC 2 attestation over a certification is who pays. Cybersecurity certification costs usually need to come out of the security budget. A SOC 2 is often completed by the same company that performs the organization's annual financial audit and so is usually billed to accounting rather than security.
Separate Annual Assessments can be Expensive for Vendors
Most healthcare providers share the pool of third party vendors that provide healthcare systems or services for pathology, PACS, EMR, Cardiology, billing, etc. They also share the same pool of business software vendors - Microsoft, CloudStrike, Cisco, Oracle, AWS, GCP, etc. Each year the healthcare sector loads up many of these vendors with the exact same audit questions to assess and validate security risk and compliance. That can be a massive hit upon those that don't have a current SOC 2 ready to send.While some third parties have made the move to SOC 2s, other have yet to do so. Plainly they need to review their options if maintaining staff sanity is a priority as audits and assessments ramp up.
Assessment Automation
Audits and assessments can be expensive and very time consuming. Thousands of artifacts to assemble and to match with control objectives, they require a complete project management infrastructure to manage properly to meet compliance dates, or for renewal of cyber risk insurance policies. Most of this is still conducted manually today despite better judgement by audit managers who see their workloads steadily increase year over year.With a growing number and complexity of third, fourth, and fifth party vendors and suppliers to assess each year, auditors face an up hill challenge. Whether assessments are conducted by a dedicated hospital security and compliance team, or a recognized AICPA / BIG4 auditor like PwC, KPMG, Accenture, or Deloitte, incremental changes to manual labor intensive audit processes can never truly move the needle on costs and efficiency. That's why we need better automated audit tools that leverage AI to help drive efficiency, but ones that don't leverage complicated or proprietary frameworks. Its also important that many of the problems of AI based applications such as potential hallucinations are avoided by requiring use of HITL - especially in audit systems used to calculate and evaluate risk.
New Assessment Tools
Fortunately, new tools are beginning to emerge that support:This new generation of tools simplifies and streamlines pre-assessment and audit activities. They reduce the amount of time needed for audits and assessments and streamline workflows while reducing cost and complexity. They are undoubtedly the future, but these improvements need to be paired with better visibility into what connects to medical networks and a focus upon third party vendors to provide a SOC 2 attestation of security controls. Only then will the growing morass of third party risks become more manageable for healthcare regulated entities. Only then will some semblance of normality, availability and safety be restored to the patient community reliant upon their health services.
