January 12, 2023
By Jessica Davis
The last year has seen a broader audience understand the disparities between the ‘haves’ and ‘have-nots’ in healthcare, in part spurred by the growing chasm between the two groups. A new collaboration of 20 leading health systems is hoping their experience and market share can begin to bridge that gap, all while addressing the growing problem of third-party vendor risk.
On Jan. 11, the Health 3rd Party Trust (Health3PT) Initiative and Council announced their commitment to providing credible assurance models, bringing standards, and automated workflows to address ongoing vendor management challenges in healthcare.
The group is comprised of security and risk executives from 20 leading healthcare provider organizations, health systems, payers and insurers, and healthcare service organizations, like UPMC, Centura Health, Memorial Sloan Kettering Cancer Center, Highmark Health, Tufts Medicine, Humana, and Walgreens, among others.
There are certainly a number of initiatives working to address the complicated, industry-specific challenges. But stakeholders have frequently told SC Media, any additional attention to these pressing, patient-safety issues is warmly welcomed in the space.
To kick off their collaboration, Health3PT intends to create a series of common practices for effectively managing vendor risk, including methodologies and tools, as well as legislative and regulatory requirements. Health3PT will release a deliverable on third-party risk metrics on the current state of vendor challenges in the sector based on industry feedback in the near future.
“If we can continue to move the industry, if we can affect how these third parties are conducting business and their security practices, we’ve benefited every one of the small providers that maybe don’t have the sophistication or financial wherewithal” to do so independently, said UPMC CISO John Houston.
As SC Media has reported, vendors were behind more than a dozen of the largest reported healthcare data breaches last year, compromising nearly 25 million patient records. The bigger concern is the patient safety risks that inevitably occur when a supply chain partner goes down.
These cyber incidents aren’t just occurring at the care sites with limited security staff or resources; even well-equipped health systems are struggling to address vendor risks.
Take, for example, UPMC: a $24 billion global, nonprofit health system with 92,000 employees across 40 hospitals and 800 outpatient clinical care sites. Houston confirmed to SC Media that UPMC’s security team has approximately 120 members: it’s a “very mature security program.”
Despite being staff- and resource-rich, all of the security incidents at Houston’s organization have been associated with a third party, specifically those with access to or that manage data and services in the cloud. The conundrum is that as cloud use has exploded in the industry, many provided services are now only available in the cloud.
“It’s not like I have the option to say, ‘Oh, I’m running my data center, I can run it in the cloud,’” said Houston. “No, these are cloud-based services that my organization depends upon to deliver healthcare services.”
But it’s that same vendor population causing the “biggest losses or risks,” further stressed by the growing number of vendors and as more of these service providers move to the cloud,” he explained. “It’s a manifested risk, it’s not a potential risk: We’re seeing breaches all the time.”
Houston’s certainly not alone in his experiences: Highmark Health CISO Omar Khawaja, Tufts Medicine CISO Brian Cayer, and Omar Sangurima, principal technical program manager of governance, risk, and program management for Memorial Sloan Kettering Cancer Center, all shared similar sentiments.
To put it into perspective, Houston explained that “every one of us at the table here… probably has at least one copy of every piece of health data in the cloud somewhere, likely even more than one copy. So it’s not like this is a limited issue.” The shift has resulted in entities becoming fully “dependent upon those remote services and cloud based services in order to deliver patient care, and we’re only going to become more dependent.”
In an interview with SC Media, Houston, Sangurima, Cayer, and Khawaja dive deeper into the biggest challenges with vendor management and how the Health3PT hopes to translate their lessons learned and knowledge into tangible tools for providers facing identical challenges.
Healthcare cybersecurity, vendor risk can’t be solved in isolation
There’s a metaphor Khawaja uses to describe vendor risk: “If you have someone that’s sensitive to air quality … you can have all the right filters, you could do all the right things in your home. But if that individual leaves the home and goes outside, it doesn’t matter what you do inside your home, it’s going to have exactly zero value.”
Any plan that suggests, “‘I, the CISO, with this budget, and this authority, and this power can solve this myself,’ is a ludicrous approach,” said Khawaja.
Yet, that’s typically how vendor management is performed in healthcare: questionnaires to be filled out by the vendor attesting to certain security practices that are difficult, if not impossible to validate. Multiply that by each business partner, and the only real guarantee is more paperwork.
That’s why even these leading organizations struggle with vendor exposures: most of the risk is happening outside of the organization, increasing the vulnerability of the entity with each connection.
“It’s not to say that anyone has bad intentions, everyone has really good intentions, everyone is working really, really hard,” said Khawaja. “But the reality is, if we stopped all third-party risk programs, I don’t know that there would be any impact to actual third-party risk.”
That is to say, any program aiming to tackle the vendor challenge on their own is a “dead on arrival program,” he added.
That’s what Health3PT is looking to address: a program built on collaboration with provider organizations within their region, across their states, and to a broader action because “the bigger the collaboration, the more likely it’s going to have impact,” Khawaja explained.
The collaboration will also convene on evolving risk, said Cayer. The model will be supported by lessons gleaned from the pandemic, as well. With new processes come “emerging risks.”
For example, Tufts Medicine was one of the first health systems to move its electronic medical records into Amazon Web Services. The shift created a new opportunity for measuring and understanding risk when moving these services to the cloud, as well as determining how to identify possible threats.
The hope is to create a model for vendor assessment to help others get to the same place without having to “reinvent that process itself,” Cayer added.
A ‘nutrition label’ for healthcare tech
The security leaders that have joined the Health3PT initiative all require HITRUST certification, the common security framework created for healthcare organizations to comply with various regulations and standards based on the organization’s size, types of systems deployed, and applicable regulatory requirements.
In fact, Houston says he won’t do business with vendors unless they’re HITRUST certified. The idea is that if enough organizations stand-up and demand specific security requirements, it compels the vendor “from a business perspective.” And that just helps everyone. He’s seen “more and more vendors say, ‘Oh, yeah, we’re either in process,’ or, ‘Yes, we are HITRUST-certified,’ because they’ve heard it too many times from us.”
The goal is to “raise the floor” using market forces, said Sangurima. Leading health systems are in a position to tell vendors looking to do business in this space that they “can’t just push out products that’s essentially a beta.”
They intend to continue to take a collaborative stance within the market to establish “at least a certain floor of compliance” to assure any products or services brought to market will meet the established security baseline and have a risk posture that “organizations can bank on” because the organizations that aren’t in a position to take that stance with a vendor.
Many “have to take it or leave it. Some of which end up with the low-cost route,” explained Sangurima. While HITRUST may not be ideal for all provider entities, Health3PT aims to use a “nutrition label” model as a way to provide smaller entities with assurance that certain vendors, tools, or service providers are leveraging best practice security measures.
“Leveraging market forces helps not only the ‘have-nots,’ it turns out that’s the only way to help the ‘have’s’ as well,” said Khawaja. The “nutritional label” is accessible to everyone and is scalable, actionable, and understandable. When someone is looking to avoid certain ingredients, they check the label without needing to understand every aspect.
The hope is to create a future where entities can move away from reliance on the third-party risk report, where “99% of the information” isn’t useful as it can’t be tied to actual objectives, he explained. It would also give security leaders back valuable time, by simplifying the process.
Security leaders should be able to focus on the functions that are valuable to the entity, not “reviewing the efficacy of every single third-party client, which is a giant waste of time,” Khawaja concluded. “To me, the litmus test for when a third party risk program’s going to be successful is when no security teams are involved.”