Expert tips for third-party vendor management: Set contractual expectations and limits

Organizations should treat the third-party vendor relationship like a marriage, continuing to assess and manage compliance, Henry Ford Health System’s Privacy and Security Director says.

Breaches in the healthcare sector have become far too commonplace. While many organizations have drastically improved their security posture, hackers and insider threats continue to be an issue, and third-party vendors can be a breach waiting to happen if not properly managed.

“From 2005 to now, we’ve been getting our butts kicked,” Jane Harper said during the HIMSS Healthcare Security Forum in San Francisco. “And there are some days I feel like a one-legged woman in a butt-kicking contest.”

[Also: Former White House CIO and CBS star Theresa Payton to keynote HIMSS Healthcare Security Forum]

Amid the near-constant stream of hospitals getting breached, there’s one vulnerability that organizations can begin to shore up: third-party vendor risk. Harper explained that vendors are “an emerging risk that we don’t want to know.” 

“It’s like fire: if controlled [vendors] can be very helpful for your organization -- if not it can rise up and consume you,” said Harper.

To control the threat, infosec executives need to treat their third-party vendor relationships like a marriage, explained Harper. “You’re establishing a relationship that can be a disaster if not managed properly.”

Providers need to know precisely what data is being shared with vendors and how it’s being managed, explained Harper. On top of that, organizations also need to consider the other businesses that may be partnering with their vendors.

“You could have data within any of these organizations and not even know it,” said Harper. 

When sharing data with vendors, organizations also need to ensure they’re only sharing the necessary data, she explained. Just because a hospital is contracted with a vendor, it doesn’t mean they need all of the data.

In fact, Harper explained that sometimes in a breach situation an organization could have reduced the impact by just making sure to limit the data shared with the third-party.

“While there’s a security rule with HIPAA, there’s also a privacy rule,” Harper said. Cybersecurity teams can begin with assessing what data needs to be shared with that business partner. The next step is to set out the expectations for that vendor and make sure it’s explicit in the contract.

“You have to make sure that the third-party knows what you expect from them. Not just turnaround times, but what you expect from them as a partner from a data and privacy perspective,” she added.

Providers also need to ensure their vendors have the security measures in place to manage their own assets. Harper explained that if a third-party doesn’t care about managing their own data, “they don’t have the care or ability to take care of yours.”

Once an organization has established these guidelines, Harper explained they need to verify these measures. As vendors are customers to any healthcare organization, providers need to be firm on required policies that should be outlined in the contract.

“It doesn’t matter if they offer you the stars, the moon and the sun, if they’re not going to protect your data,” said Harper. And organizations “can’t rule out the scope of risk, without a proper risk assessment.”

She urged other security professionals to keep in mind that once you sign the contract, that work is not done.  

“Just like with a marriage, there’s ongoing work to maintain the relationship,” Harper said. “You absolutely must without question, assess your third party compliance with the contract. [Verify] they have the appropriate privacy and security in place.”

The next HIMSS Healthcare Security Forum will take place in Boston on October 15-16. Register here

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Women In Health ITResource Center

Stay Informed

Subscribe today to receive our FREE monthly e-newsletter