By Marc Johnson
Effective third-party risk management is more crucial than ever in health delivery to combat ransomware and other attacks. It’s no secret that cybercriminals are now directly targeting providers’ third-party vendors in addition to hospitals and health systems themselves. With increasing consolidation in the health care IT market, inconsistent approaches among vendors when assessing their own security risks, and a lack of understanding from both vendors and health delivery organizations about the shared security responsibilities associated with the cloud, the reality is that the trend of cybercriminals exploiting third-party vulnerabilities is only going to get worse. In the current environment, hospitals and health systems need a programmatic approach to combat ransomware, with tight coordination between IT and business stakeholders essential to fully assessing and managing any third-party vendor risk.
Building an IT service assurance program is one of the most effective ways hospitals and health systems can help manage their third-party risk. An IT service assurance program ties the organization’s business and IT strategies—and the execution of those strategies—together. It lays the foundation that enables a hospital or health system to take the necessary actions for successful third-party risk management, such as the following:
• Utilizing third-party risk management software strategically. There’s no shortage of software available that hospitals and health systems can use for third-party risk management. However, technology is not a solution by itself. Organizations need to use the software strategically, accounting for their specific technology environment, unique vendor relationships, and the level of risk they want to assess. The right processes, communication, and coordination—which are made possible by an IT service assurance program—need to be in place to inform implementation of the software. No third-party risk management software package can validate claims a third-party vendor makes about being able to satisfy specific security requirements. If an unmet security requirement is eventually discovered, the IT service assurance program can express the risks associated with the unmet requirement and propose solutions that will allow the hospital or health system to continue to serve their patients expeditiously.
• Accounting for unique considerations with the cloud. There’s a high level of interest in utilizing the cloud in health delivery. The cloud provides an opportunity to improve information security, reduce costs, improve “speed-to-value,” and eliminate technical debt. However, the cloud still represents a shared security model between the vendor and the customer. Hospitals and health systems need to have well-defined internal processes in place to understand where the cloud vendor’s security responsibilities end and where theirs begin (eg, firewalls, gateways, and endpoint protection). It’s essential to fully assess the scope of information security work that will be required of the health delivery organization and ensure those responsibilities realistically can be accomplished.
• Assessing the security posture of a third-party software-as-a-service vendor goes far beyond reviewing the security credentials of the public cloud (eg, Microsoft Azure, AWS, and Google Cloud) on which their solution resides. Hospitals and health systems need to determine if their software-as-a-service vendors have a robust information security program in place (eg, well-defined policies and procedures for ransomware prevention, response, and recovery) that can support them adequately as customers and address their unique information security requirements.
• Thinking more like an auditor. The health delivery industry is no stranger to audits—especially those related to information security. Claims about policies and procedures for ransomware prevention and response require proof before auditors accept those statements as fact. With cybercriminals increasingly targeting providers, business partners, hospitals, and health systems should embrace this mindset as well, viewing themselves as auditors of their third-party vendors, particularly when it comes to critical threat vectors. “Trust but verify” is an excellent mantra for providers to adopt. Testing a third-party vendor’s security controls by asking for random evidence collection to serve as proof of their statements is key.
• Looking at risk more holistically. Too often IT risk and business risk are assessed separately when organizations vet a third-party vendor. IT will evaluate a vendor’s potential information security vulnerabilities and overall security posture, while business stakeholders will look at factors such as the vendor’s financial health and potential legal issues, but there’s limited coordination between the two efforts. Information security risk is business risk. A third-party vendor not able to provide contracted functionality or services due to a financial problem is no different than a third-party vendor unable to provide access to their solution because of repeated ransomware attacks.
The bottom line is that the decision about whether a third-party vendor represents an intolerable level of risk for the organization cannot be based solely on IT risk or business risk. Effective third-party risk management should involve a mix of IT and business stakeholders.
The trend of cybercriminals targeting providers’ third-party vendors and business partners is not going away any time soon. To combat increasingly sophisticated ransomware attacks, hospitals and health systems need to have an IT service assurance program in place that lays the foundation for effective third-party risk management.
— Marc Johnson is a senior advisor and chief information security officer at Impact Advisors, specializing in IT, governance, risk management, threat intelligence, analytics, and more. He joined Impact Advisors in 2020, bringing decades of professional IT security experience.