Creating a game plan for vendor risk management
Photo courtesy of Jesse Fasolo
In this day and age, any healthcare provider organization could be the next victim of a cybersecurity breach. Unfortunately, countless organizations have experienced data breaches by a third party, and the remediation costs can run into the millions.
This is why vendor risk management has come to the fore as a plan that provider organizations should have in place.
Jesse Fasolo is director of technology infrastructure and cybersecurity and information security officer at St. Joseph's Health, a health system in New Jersey. Healthcare IT News sat down with him to glean his expertise on the subject of vendor risk management to share with his peers in the industry.
Q. Why is vendor risk management arguably more important today than ever before?
A. The ever-evolving changes to the threat landscape bring new threats that make vendor risk management (VRM) more important now than ever as targets shift from the business to the supplier or vendor.
Often, vendors pose as large targets that are highly valued – often in possession of, or with access to, protected health information. The VRM helps to educate the vendor and the organization on potential risks that may result from the partnership.
Organizations are entering agreements with third parties at a rate higher than ever before due to the integrating capabilities of software or the cost avoidance of selectively outsourcing. Trends such as increased incidents with vendors, heightened focus from regulators on supplier risk, and pressure from the economic volatility demand a closer look at who our third-party or fourth-party vendors are.
As technology shifts to more cloud-hosted or shared environments, understanding the security controls, processes and procedures that are present with hosting environments or how data is handled is critical. These risks have a direct impact on an organization through revenue loss because of declining reputation, regulatory non-compliance and operational disruption to services.
Performing proper due diligence on current and potential vendors is not only necessary to satisfy HIPAA security and privacy measures; it has become reputational. Increasing risk via a third party can directly impact compliance with legislation or regulations.
In the past few years, many healthcare-focused vendors have been targeted and breached. This increasing risk should sound an alarm to all organizations and drive an emergent need to perform risk management assessments on their vendors.
Q. What are some of the first steps an IT leader needs to take to implement a vendor risk management plan within their organization?
A. The development of a VRM plan can seem daunting to an organization, but there are initial areas of focus to promote success. As an IT leader, understanding the scope of all current third-party vendors and the organization's onboarding process for new vendors is a great starting point.
This provides the IT and IS professionals the ability to ensure the necessary gates are in place for the contract process and onboarding process so that security assessments can take place, technical architectural review can occur, vendor security controls are reviewed and finally, the contract terms can be reviewed.
Embedding minimal security into agreements, service-level agreements (SLAs), right-to-audit security controls, notification of breach or incidents, and ongoing assessments is vital to ensure vendors continue to maintain their security posture. Establishing a cross-discipline partnership among risk, legal compliance, information technology and information security is essential to the vendor onboarding process, contract review and VRM plan.
These teams should follow the same procedure to ensure vendors are vetted as needed. After aligning the responsible individuals, then establish or revise a risk management policy that encompasses not only organization clinical risk but also risk around information security and data security.
This policy will follow regulation or legislation requirements and align with a standard or framework such as the National Institute for Standards and Technology (NIST) Risk Management Framework (RMF) and the International Organization for Standardization (ISO). Above all, the assessment process must be easy to manage and provide the business a quick turnaround on the identified risk.
Q. What is the risk of not having a plan in place to monitor/assess third-party vendors?
A. There are potential and unknown high risks for any organization that does not have a plan in place to monitor third-party vendor risk. While some organizations seem to be okay with conducting a brief internal assessment of a partner, a more in-depth, due-diligence process can uncover risks that may ultimately cost the organization.
If a vendor fails their own compliance or fails to comply with industry regulation, this directly impacts the business. Common risks of not having a plan in place include strategic risk, compliance risk, operational risk, financial risk and reputation risk. A potential unintended consequence can occur in the form of direct consumer complaints as a result of a third-party breach or loss of data.
The clean-up from these third parties also becomes a huge process that takes time and resources away from the business. Imagine having to send notices to all of your patients and customers because a third party was breached. Monitoring these vendors after their initial assessment is a strategy to ensure ongoing protection and minimal risk. The plan determines how to address higher-risk vendors, documents the risk thresholds that the organization is willing to carry and provides a way to concentrate the risk for all vendors.
Q. What success have you seen at St. Joseph's as it pertains to monitoring third-party vendors?
A. The success that has been realized as a result of our vendor risk management program is essentially the minimization of vendor-transferred risk and liability to the organization. This comes from the continual improvements made to the policy, process and procedures involved with information security risk management.
We have had multiple instances where a potential third party was highly desired or recommended, then turned into a conversation of risk acceptance or risk elimination as a result of the monitoring. It is better for the organization to review the risk up-front and make requests for change prior to any agreement, rather than sign a contract and find that their high risk may directly impact you in the future.
Also, the plan we have in place helps to understand which vendors require assessments and which do not. All vendors that have gone through the process are now classified with a historical collection of data and risk rating that can be used as an indicator of where our risks are.
Q. What plans do you have to continue risk assessments on a go-forward basis within the organization?
A. As we push forward with our strategic initiatives and increased leverage of data for operational success, the team is now looking to enhance our risk assessments for our partners. Those that become classified as strategic partners or those that have direct access to our electronic health record are then continuously assessed through various tools and alerted on any deviations.
We have recently implemented changes to our policies that ensure our business associate agreements are reviewed and updated on a schedule for all contracts and require updated ones during all contract renewals. This allows for any updates or changes to be applied to vendors and maintains team members' understanding of the process and purpose.
Additionally, we have added processes for any organization that has had a security incident, with reassessment multiple times afterward to ensure they are making the necessary changes or enhancement to prevent incidents in the future. We also continue monitoring of higher-risk vendors.
Twitter: @SiwickiHealthIT
Email the writer: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.