HIPPA Journal
January 13, 2023

A group of 20 security and risk executives from leading healthcare provider organizations have come together to share their insights and guidance with less well-resourced healthcare organizations to improve information risk management in the healthcare industry, including addressing one of the most urgent healthcare cybersecurity challenges – third-party risk management.

Cyberattacks on vendors have increased sharply with these attacks impacting many healthcare organizations. In 2023, virtually all of the top ten data breaches occurred at vendors. An attack on a vendor can give a threat actor access to the networks and data of many different healthcare organizations, and many vendors have insufficient security measures in place.

A recent survey conducted for the Healthcare and Public Health Sector Coordinating Councils (HSCC) found that healthcare organizations of all sizes are struggling to manage third-party risks, especially small- and medium-sized healthcare organizations, which typically have limited budgets and resources to devote to third-party risk management. The HSCC survey revealed the focus of many third-party risk management programs is new vendors during the onboarding process, with existing vendors often failing to be monitored and assessed. Gartner reports that only 23% of security and risk leaders monitor third parties for cybersecurity exposure in real-time.

The group includes security professionals from leading healthcare organizations such as Amerisource Bergen, Centura Health, CVS, HCA Healthcare, Healthix, Highmark Health, Humana, Premera Blue Cross, St. Lukes Health System, and UPMC, who have created the Health 3rd Party Trust (Health3PT) Initiative, which builds on the Provider Third Party Risk Management (PTPRM) initiative of 2018.

The Health3PT initiative aims to evaluate, identify, and implement actionable and practical solutions that healthcare organizations can adopt to provide more reliable assurances, consistent information security program reporting, and gain better visibility into downstream relationships with third parties.

Currently, the methods used to manage third-party risk are time-consuming, cumbersome, and inadequate, with no standardized set of practices to follow. Vendors can use vastly different methods for risk management, and often conduct processes manually, which can result in blind spots on risk. Across the industry, there is inadequate follow-through on the remediation of identified risks, complacency regarding continuous monitoring, and insufficient assurance programs to prove that the right security controls are in place.

One of the primary goals of Health3PT is to develop a set of common practices for healthcare organizations to adopt to manage vendor risk, with the group planning to develop risk management tools and methodologies that can be easily adopted by organizations of all sizes. Initially, the group plans to benchmark the current state of the industry, and this will be one of the first deliverables from the group in Q1, 2023.

“Managing third-party risk in a comprehensive and sustainable way requires collaboration between healthcare organizations and their suppliers to find solutions that are efficient and effective for both sides. That’s why the Health3PT is so important to Centura Health and our partnerships. In order for this to work, we need more healthcare organizations to adopt common, standardized processes,” said Shenny Sheth, Deputy CISO for Centura Health, and Health3PT member.

Health3PT will create a standardized and measurable standard for assessing third parties quickly and efficiently, which will serve as the cornerstone of third-party risk management programs across the entire healthcare ecosystem to better protect against the increasing number of supply chain attacks. Health3PT also plans to form working groups and will host a summit for vendors, stakeholders, and assessor organizations to collect and share ideas.

“It’s clear that [third-party risk management] is broken in the healthcare industry. We need to come together as an industry to establish a sustainable approach to third-party risk management. The common process of sending and receiving self-attested proprietary questionnaires is inefficient and potentially unreliable,” John Chow, CISO for Healthix, Inc., and Health3PT member. “We need a practical pathway to supplier assurances that are reliable and not self-attested, have inadequate controls or overburdening for the risk posed. The lack of standardization today results in vendor confusion due to the different question sets and requirements, resulting in confusion, frustration, and eventually…lack of response.”