Third-Party Risk Management, Healthcare, and Cybersecurity

In healthcare, third-party risk management (TPRM) is a massive, challenging effort, and the scope of TPRM programs is expanding to meet the needs of the industry. Every day, organizations add new software and third parties to support patient care and their business operations. TPRM in healthcare initially focused on cybersecurity risks, but it quickly expanded to safety, quality, privacy, compliance, and reputational risks, to name a few.

However, a solid focus on cybersecurity remains paramount in any healthcare TPRM program. By taking intentional, proactive steps, healthcare organizations can perform effective TPRM and strengthen their cybersecurity resilience.

Current state of TPRM in healthcare

The Health 3rd Party Trust (Health3PT) Initiative and Council is a group of healthcare leaders dedicated to help establish best practices regarding managing information security-related third-party risks. Between April 2023 and June 2023, Health3PT conducted a survey of entities and business associates in the U.S. healthcare industry. Results from the survey revealed that 55% of healthcare organizations experienced a third-party breach in the previous year.

The Health3PT survey results highlight the many challenges that covered entities and business associates face throughout the third-party risk management life cycle, including, but not limited to:

• Planning and strategy
  • Understanding the organization’s third-party population and which third parties access or receive sensitive information
• Due diligence
  • Identifying the inherent risk of the third parties and relying on third parties to timely respond to and complete questionnaires and follow-ups
• Reporting
  • Third-party programs delivering a report that provides value to the business
• Issue management
  • Management of issues after the assessment and being overwhelmed by the volume

Cybersecurity, healthcare, and third-party risks

In October 2023, the Cybersecurity and Infrastructure Security Agency, in collaboration with the Department of Health and Human Services (HHS) and the Health Sector Coordinating Council, released a cybersecurity toolkit to help organizations in the healthcare industry. The toolkit outlines cybersecurity performance goals, which reference the National Institute of Standards and Technology Cybersecurity Framework 2.0 (NIST CSF 2.0) controls, to help healthcare organizations protect against and manage cyberthreats. Specifically, the NIST CSF 2.0 goals include a focus on third-party risk and recommend that organizations’ vendor and supplier cybersecurity requirements should identify, assess, and mitigate risks associated with third-party products and services.

On Jan. 6, 2025, HHS published the long-awaited update to the HIPAA Security Rule and accepted comments through March 7, proposing a major overhaul to the nearly 30-year-old rules. It is unclear when the proposed rule will be finalized and what the exact dates of expected adherence will be. However, following are highlights of some major changes in expectations as related to management or third parties and their associated risks.

• Risk assessment and management. Organizations should conduct comprehensive risk assessments to identify potential vulnerabilities in third-party systems that handle protected health information (PHI).
• Due diligence. Conducting due diligence on third parties to confirm they have robust security measures in place is critical.
• Contractual obligations. Organizations must include specific security requirements in contracts with third parties.
• Monitoring and auditing. To confirm adherence to security standards and contractual obligations, organizations must continually monitor and audit third parties.
• Incident response and reporting. Third parties must have incident response plans in place and report any security incidents involving PHI promptly.

Third-party breaches in healthcare systems

According to the IBM “Cost of a Data Breach 2024” report, the average cost of a data breach increased to $4.88 million. But for the healthcare industry, the average cost of a data breach was $9.77 million. Data breaches are expensive, and they affect many individuals. In some recent cases, the number of individuals affected by data breaches has hit the hundreds of millions.

The healthcare industry experiences the costliest breaches, and it is also heavily affected by third-party breaches. The cost and number of breaches put organizations in a challenging financial position regarding how effectively they could recover from a third-party breach.

Best practices for managing third-party risks in healthcare

To help reduce the likelihood of a third-party breach, healthcare organizations should consider aligning their cybersecurity programs to an industry-leading or commonly accepted control framework (such as NIST CSF 2.0). Doing so can help make sure third-party assessments and questionnaires align with the corresponding framework.

Third-party risk is a complex topic that organizations generally cannot fully establish in a short period of time. Evaluating the maturity of a third-party risk program and determining how to continually improve takes time. Although the newly proposed HIPAA rule can be interpreted in different ways, it helps provide some oversight in managing third parties. Other industries, such as financial services, have stricter guidance for managing third-party relationships.

Strengthening cybersecurity

Given the complexities of TPRM and cybersecurity, organizations should take proactive steps to managing third-party risk and minimizing the likelihood of breaches. Following is a streamlined action plan for healthcare organizations to strengthen their cybersecurity programs.

• Planning and strategy

  Challenge: Properly scoping the program by understanding the organization’s third-party landscape and assessing the inherent risk of vendors that have access to sensitive patient data.

  Recommended actions:

  • Define onboarding processes. Establish clear, standardized procedures for onboarding third parties and confirm that each vendor is evaluated for potential cybersecurity, regulatory, and reputational risks.
  • Assign responsibilities. Clearly designate roles and responsibilities for managing third-party risk within the organization.
  • Implement precontract checks. Develop a checklist of required security and compliance questions to address before entering into contracts. This process should filter out low-risk vendors and focus on those that could significantly affect patient data and organizational security.

• Due diligence

  Challenge: Identifying and addressing significant risks efficiently while maintaining support for ongoing business operations.

  Recommended actions:

  • Scope dynamically. Tailor risk assessments to vendors based on the type and sensitivity of data they access to verify that only the necessary questions are asked.
  • Integrate technology. Use automated tools to streamline the onboarding process and risk assessments to reduce manual efforts while ensuring thorough evaluations.
  • Establish timely processes. Set clear service-level agreements for risk reviews and assessments to support prompt identification and remediation of vulnerabilities.

• Reporting

  Challenge: Delivering actionable insights and transparency into third-party risk that support informed decision-making at all organizational levels.

  Recommended actions:

  • Engage stakeholders. Regularly meet with key stakeholders to review program-level and specific risk and control indicators to confirm that cybersecurity performance is well understood.
  • Automate reporting. Integrate technology solutions that provide real-time visibility into third-party risk to enable proactive management and support continual improvement of cybersecurity measures.

• Issue management

  Challenge: Effectively managing and remediating issues that arise after assessment, especially when dealing with a high volume of potential vulnerabilities.

  Recommended actions:

  • Collaborate with business teams. Work closely with internal teams and provide training on information security risks to empower them to manage vendor-related issues and track remediation efforts.
  • Use continuous monitoring tools. Implement risk intelligence and continuous monitoring solutions that can track multiple risk domains. These tools can help promptly identify if a third-party breach might affect the organization.
  • Establish a clear remediation process. Develop and document processes for escalating and resolving issues to make sure that all identified vulnerabilities can be addressed in a timely manner.

This tailored approach can help healthcare organizations safeguard sensitive patient information and maintain robust cybersecurity by addressing the unique risks posed by third-party vendors.

The future of TPRM in healthcare

Some third parties that healthcare organizations rely on are highly integrated within systems, so if one is affected by a breach, entire systems and myriad processes might be directly affected. Future risks that healthcare organizations might want to get ahead of include AI-based systems, concentration risk, and reputational risk. The proposed updated to the HIPAA rule could help organizations align with cybersecurity best practices to reduce the impact of third-party breaches. Implementing such best practices might be challenging, but organizations should focus on continually improving over time based on the current and emerging guidance.

The recent breaches of third parties in the healthcare industry illustrate that healthcare systems rely on third parties to deliver critical services to their patients every day. As healthcare systems become more integrated with and reliant on third parties, they incur more risk, which is why prioritizing third-party risk and cybersecurity controls is vital. By taking proactive steps, healthcare organizations can improve TPRM and mitigate cyber risks.