Third Party Risk Governance
Over the past decade, the number – and range – of affiliate companies serving the healthcare industry has risen dramatically and become significantly more diverse. In addition, these companies find themselves so interconnected that there are essentially no parties in this industry sector that do not outsource at least some of their data management process. While there are significant benefits to this arrangement, it also poses a problem.
Third party vendors – as well as their own subcontractors – are subject to a variety of disruptive events such as cyber attacks, natural disasters and other data breaches. In fact, in many cases, the subcontractors are actually a more attractive target than the host company. For this single reason, it is essential that a healthcare company develop a Third Party Risk Governance (TPRG) strategy that addresses this specific problem. This article has been compiled from an interview with an Information Security Advisor while she was with an H-ISAC member organization.
Here are a few things to consider before implementing a strategy:
- Healthcare-related data is immensely valuable – SSNs are sold on the dark web for about one dollar per name. Adding medical information to the data increases the price by a factor of 10-12. As you can imagine, hackers and phishers understand this financial dynamic and are especially driven to target healthcare-related companies for their nefarious purposes.
- Understand the threat – There are a variety of factors that will influence how vulnerable a third party vendor is to a data breach. In the grossest sense, the amount and type of data will affect how potentially lucrative they are in the eyes of a hacker. By using the same lens to categorize your 3rd party providers, your company can more ably prioritize their efforts at identifying and nullifying any potential data breaches.
- Third party vendors are inherently more vulnerable – While it should be obvious it still must be stated – smaller, third party vendors simply do not have the resources of larger companies like CVS or BCBS to devote to adequately protect their data streams. Yes, larger companies are unlikely to get hacked in any substantial manner; however, their “subs” have almost unlimited access to the same proprietary information. In short, the customer data is vulnerable to a variety of attacks all along the transmission stream and needs to be adequately protected.
- Do not ignore the downstream “S” parties – Your company’s responsibility for data protection does not stop at the third party level. It also extends to their subcontractors – also known as fourth or “S” parties. It is essential to understand where they fit into the data processing stream, what information they may be transmitting and the security measures that they use to ensure its confidentiality.
- No security template exists – Every healthcare company provides a unique challenge to both the hacker and to those charged with preventing a security breach. While this situation does make it more difficult for a hacker to find and exploit a breach, it also presents a challenge for TPRG. In the simplest terms, a hacker only needs to get lucky once somewhere along the line while the healthcare company must protect every potential avenue of attack – a difficult and time-consuming task to say the least.
- Security measures lag hacker technology – Almost by definition, hackers have access to the latest technological developments. Third party providers will undoubtedly know about the latest hack or software tweak but will usually take months to develop and implement a countermeasure. It is an unfortunate state of affairs but one that must be dealt with in an ongoing manner. In short, the Red Queen Effect – that is, companies must constantly adapt and evolve in the face of threats – is in full force in the healthcare industry when it comes to technology.
- The government is getting more involved –As with any other public-interest situation, the Federal government – and the states too, New York is leading the way in this regard – feels compelled to provide a plethora of essentially unneeded regulations. Still, your company must comply with the rules or face potentially ruinous fines. This hazard has even deeper repercussions. Not only are your third party vendors liable for any mistakes but so are you and… if you have the deeper pockets, guess who the lawyers will target?
- It can contribute to significant cost increases – Third party companies are generally regarded as a cost-saving measure – that is, a healthcare company can outsource relatively minor tasks to a specialized company for a fraction of what it would cost to do them in-house. There are hidden costs, however. Not only is the parent company liable for any mistakes made but they must also carry the burden of litigation costs from their clients and government sanctions for any deficiencies in the process.
- It is a collaborative effort – The very reason that your company employs a third party vendor is to avail itself of its competencies. For this very reason, you should also rely on them to help you in the governance process. It may seem adversarial at first but that is a counterproductive stance to take. Instead, you need to mutually determine the risks and the solutions to any data breach problem – real or perceived. Simply put, shared concerns and shared costs will result in the most effective and cost-efficient security solution possible.
- Consider using a shareable framework – There are several options – Ms. Spano recommends the Shared Services suite. Shared Services provides a shared security operations center that offers benchmarking services, legal and regulatory surveillance as well as shared third party risk assessment. This type of platform is a tremendous way to leverage your knowledge of the deficiencies in the system with others in the same industry and develop consolidated and affordable solutions. It also forces any downstream entity doing business with your company to conform to some basic security protocols.
No matter the size of your company, TPRG is a massive undertaking. It will certainly stretch the resources of almost every part of your company. In the long run, it truly pays to get some expert advice before even taking the first step in the process. For more detailed information on the specifics of third party risk governance and how it can affect your company, please contact H-ISAC (Health Information Sharing & Analysis Center. Joining H-ISAC is one of the best steps that a private or public health services firm can take to ensure they are protecting the proprietary information contained in the industry. Learn more about information sharing at H-ISAC.org and about Shared Services at H-ISAC.org/Shared Services. H-ISAC members have also formed a TPRG working group which meets online monthly and in person at H-ISAC Summits.