Written by Bob Quandt, interim ISO for Sharecare as owner of Bullseye Compliance, LLC.
Third-party risk continues to be one of the major areas of concern for healthcare organizations and will remain this way for the foreseeable future. As the healthcare delivery model continues to change and our reliance on third parties to deliver technical services increases, we need to constantly assess our third-party risk management program.
Here are some things to consider as you assess your program:
Make sure you have assessed everyone
Do you have a process in place with your legal and procurement departments to ensure, before any deals are signed and any checks are cut, that security has been involved in the review? As the old saying goes, follow the money. Ensure that your processes align with these groups and build a relationship with leadership of these internal organizations so they will champion your cause. You can also partner with your procurement, internal audit, or accounting departments to find shadow IT expenses via an expense report audit. Expense report audits will help you find shadow IT expenditures that have not been processed through your procurement organization, and you can ensure they are processed through your third-party risk management program.
Map out your data flow
During your risk assessment process, work with your IT teams to map out data flows of the applications you are assessing. This will help you get a picture of where your data resides and how – and to whom – it is transported. If your security team or your development teams are completing threat models, make sure they are notating third party control of data in those models.
Review your use of HITRUST and partner with your vendors
Are you allowing your vendors to demonstrate meeting your vendor requirements through a certification process such as HITRUST? I think, either knowingly or unknowingly, we don’t treat our vendors as partners when it comes to vendor security reviews and expectations. I get it, we all are worried about the unknown, and our vendors present us with the largest unknown threat to our environment. However, if we believe that the HITRUST CSF and the certification process helps make sure we are all on the same playing field when it comes to building and maintaining strong security practices, then we must make sure our actions demonstrate this belief. Treat your vendors as a partner and encourage them to obtain a HITRUST CSF certification as a demonstration that they meet your security program requirements. You will need to work with your vendors to ensure the scope of their certifications includes the services they are providing to you. If the scope is covered, accept the certification as attestation. This will save you and your vendor time and money. If you do require some additional technical security testing outside of the HITRUST CSF certification, ensure they are clearly outlined (e.g., Web application assessment, pen test, etc.).
Survey your vendors
After a vendor has completed its vendor security assessment or interaction with your organization, ask them to complete a survey to get feedback on your program. Do they think going through the process was beneficial for their program? Do they believe they were treated like a partner or a part going down the manufacturing line? Depending on the maturity of your vendor, you will get various answers; however, look for consistencies in responses and use this data to improve your program. Respecting your security program and your process is much different than fearing it. If your vendors respect your program, they will be more likely to comply with your requirements, and most importantly, they will have a partner they trust to figure out difficult problems and address any incidents that may occur.
Bob Quandt is the former Vice President of Information Security, ISO for Healthways (now Sharecare), and is now interim ISO for Sharecare as the owner of Bullseye Compliance, LLC.
You may be interested
Improving Cloud Security with a Shared Responsibility ModelSierra Reed - Jan 07, 2019
HITRUST streamlines the process to determine who’s responsible for what security controls among your service providers By Hector Rodriguez, Worldwide…
From Providers to Patients: Time to Protect the Entire Healthcare Supply ChainLacy Deatrich - Dec 18, 2018
Written by Taylor Lehmann, Chief Information Security Officer, Wellforce The patient-care ecosystem is a complex mix of healthcare providers, payers…
New National Risk Management Center to Help Combat CybersecurityLacy Deatrich - Aug 24, 2018
Details forthcoming in new Department of Homeland Security initiative Written by Carl Anderson, Chief Legal Officer & Senior Vice President…