Here is the latest monthly blog from the HIMSS Privacy and Security Committee…called PSST! Keep reading to learn more about this month’s topic –Vendor Security Risk Management for Healthcare Organizations, by HIMSS Privacy and Security Committee Member John L. Phelan, Ph.D., Principal, Phelan Consultants.
Despite the increasing focus and legal requirements for security controls, major and minor security breaches seem to have become routine based on the news headlines and websites citing these breaches. What is behind the headlines may be less obvious in that healthcare organizations rely on a plethora of vendors for support, including processing and maintaining data, providing analytics and, in many instances, performing core operational tasks. When there is a breach, a contracted vendor may well share the blame if not the headline.
This blog considers four important areas that can help lower the security risks associated with third party vendors. These areas include the following:
- Vendor Due Diligence
- Vendor Risk Classification
- Ongoing Vendor Communication
- Cyber Liability Insurance
Vendor Due Diligence
As the volume of outsourced products and services has surged in recent years, so too have the risks associated with vendors and third-party providers. Performing a vendor risk assessment prior to entering into an agreement allows organizations to make informed contracting decisions. It will also help healthcare organizations identify issues that are typically realized after the agreement is signed. In addition, organizations can assess the potential of using existing standards and risk management frameworks such as those available from the Consumer Financial Protection Bureau, COBIT, ISO, PCI, NIST and HITRUST to ensure measurable and meaningful results.
Vendor Risk Classification
Third party risk management does not follow a “one size fits all” approach. For effective and efficient use of resources, healthcare organizations need to classify and prioritize vendors by the level of risk that each vendor relationship creates for the organization. This allows limited risk management resources to focus on the vendor relationships that matter most and limits unnecessary work for lower-risk relationships such as, in the latter case, a large vendor with well-known security management controls or a vendor with no access to sensitive data.
On-going Vendor Communication
Managing vendor security risk is more than an initial assessment and addressing the risk in a contract. Organizations may be tempted to overlook long-term communications with vendors on security and avoid conducting regular risk reassessments of the adequacy of vendor controls. Limited resources make it easy to assume that meeting emerging security concerns within a vendor’s operation is a vendor problem once a contract is signed. This is not the case, however. The environment, technology and security risks are constantly evolving and new vulnerabilities can and do emerge. As a result, healthcare organizations should maintain a communications program to obtain assurance that vendor security efforts are consistent with the expectations of the healthcare organization and meet current needs.
Cyber Liability Insurance
It is vital to understand the role of cyber liability insurance in managing security risk. Major breaches have high costs associated with loss of goodwill, operational downtime, liability and the expense of corrective actions. Insurers specializing in cyber liability coverage can help manage the costs and risks associated with a breach. In addition, an organization can better understand its own level of preparedness for mitigating and managing security breaches based on an insurer’s advice on what cyber liability coverage is needed and why.
Healthcare organizations can benefit from assessing their current vendor management programs in relation to its security risk management needs. This blog highlights some of the approaches and actions that these organizations may consider in improving current vendor relationships. Now is the time to take control of these risks.
Readers are encouraged to visit the HIMSS website for a more in-depth look at the issues described in this blog and for links to further information and useful tools.