Cloud Security Alliance Issues Third Party Vendor Risk Management Guidance for Healthcare Companies

Cyber attackers are more and more targeting business associates of HIPAA-covered entities because they offer a great way to reach the systems of several healthcare companies. To aid healthcare delivery organizations (HDOs) handle the situation, the Cloud Security Alliance (CSA) has released new guidance about third-party vendor risk management in healthcare. The Health Information Management Working Group drafted the guidance, which has examples and uses cases and gives details on a few of the risk management program resources that HDOs can use for risk management.

Third-party vendors offer valuable services to HDOs, such as services that can’t be efficiently handled in-house; nevertheless, using vendors presents cybersecurity, compliance, reputational, operational, privacy, strategic, and financial threats that must be handled and mitigated. The guidance is supposed to aid HDOs to determine, evaluate, and mitigate the risks related to using third-party vendors to avoid and minimize the intensity of security occurrences and data breaches.

Cyberattacks on vendors helping the healthcare sector have grown recently. Instead of targeting an HDO, a threat actor may strike a vendor to acquire access to sensitive information or to misuse the vendor’s privileged access to an HDO’s system. For instance, a successful attack on a managed service provider enables a cyber actor to obtain access to the systems of all clients of the company by exploiting the privileged access of the MSP to client networks. This is good for a hacker since it suggests it isn’t required to crack into the systems of every MSP client one by one.

Whenever third-party vendors are employed, the attack surface grows considerably, and controlling and minimizing risk is usually a problem. Although third-party vendors are utilized in all industries, third-party vendor security threats are most common in the healthcare industry. The CSA states that this is because of the scarcity of automation, substantial usage of digital programs and medical devices, and the insufficient completely deployed critical vendor management settings. Because healthcare companies usually use numerous vendors, performing extensive and precise risk tests for all vendors and employing critical vendor management settings may be a very labor-intensive and expensive process.

Dr. James Angle, the primary author of the paper and co-chair of the Health Information Management Working Group stated that Healthcare Delivery Organizations put their trust in third-party vendors for the security of their sensitive information, finances, reputation, and others. Considering the value of this crucial, sensitive information, along with regulatory and compliance demands, it is very important to recognize, evaluate, and minimize third-party cyber risks. This paper provides an overview of third-party vendor challenges in healthcare along with recommended identification, discovery, response, and mitigation tactics.

When an HDO opts to employ a third-party vendor, it is vital that efficient monitoring controls are executed, however, it is apparent from the volume of third-party or vendor-associated data breaches that lots of healthcare companies find it difficult to determine, safeguard, identify, respond to, and get back from these occurrences, which indicates the present approaches for evaluating and handling vendor threats are faltering. These problems can have a significant financial effect, not only when it comes to the breach mitigation expenses, but HDOs likewise face the danger of regulatory penalties from the HHS’ Office for Civil Rights as well as the state Attorneys General. Additionally, there is a substantial possibility of long-lasting damage to reputation.

The CSA gives a number of recommendations in the paper, such as implementing the NIST Cybersecurity Framework for checking, measuring, and monitoring third-party threats. The NIST Framework is generally focused on cybersecurity, however, similar principles may also be used for measuring various risks. The primary capabilities of the framework are to identify, secure, detect, respond, and get back. With the framework, HDOs could determine threats, know what information is given to each, prioritize vendors according to the degree of risk, apply safety measures to secure critical services, make sure monitoring controls are enforced to identify security occurrences, and a plan is created for responding to and preventing any security breach.