TPRM

2023 State of Healthcare Third-Party Cyber Risk Management

By CORL Technologies | August 3, 2023

Findings from an independent survey of Covered Entities and Business Associates in the U.S. Healthcare industry, conducted April-June 2023.

Purpose:
The Health3PT Initiative conducted the survey summarized on the following pages to identify issues in the current Healthcare Third-Party Cyber Risk Management environment and drive towards improved collaborative solutions.

You’re invited to review respondent results to gain valuable insights from other healthcare information security professionals that can help your organization create a healthier, lower-risk ecosystem for all participants.  

Why Effective Third-Party Risk Management Is So Important

Vendor risk is a serious problem in healthcare today because:

55%	of healthcare organizations experienced a third-party breach in the past year1
$10.1M	is the average cost of a healthcare data breach2
90%	of the most significant healthcare breaches in 2022 were tied to vendors3

   ¹ https://www.hipaajournal.com/55-of-healthcare-organizations-suffered-a-third-party-data-breach-in-the-past-year/​
  ² https://www.ibm.com/reports/data-breach
  ³ https://www.scmagazine.com/feature/breach/most-of-the-10-largest-healthcare-data-breaches-in-2022-are-tied-to-vendors

Introduction

Third-party risks associated with supply chain vendors and service providers critically threaten and challenge healthcare cybersecurity, data protection, and the safety of patient records. Unfortunately, today’s methods to manage third-party risk exposure are burdensome and inadequate.

There are significant blind spots relating to third-party information security risk because:

• Each organization and each vendor handle their assessments differently and often manually.
• Relying parties often lack the resources to follow up on vendor risk remediation efforts.
• Most assurances do not consistently show that proper information security controls are in place. 

To establish and promote trusted cyber security practices throughout the third-party healthcare ecosystem, professionals from leading healthcare organizations joined to form the Health 3rd Party Trust (Health3PT) Initiative. The objectives of the Health3PT-sponsored survey were to identify common issues around healthcare TPRM and gather respondent insights on collaborative ways to refine and implement meaningful solution improvements.

Summary of Key Findings

1. Covered Entities and Business Associates
Both groups share a strong belief that current TRPM processes are inefficient and ineffective in preventing data breaches:

2. Suggested Improvements from Both Sides
Survey results point to several efficiencies that can create a more collaborative approach that helps streamline and standardize the risk management process for Covered Entities and Business Associates.

• Create norms around inherent risk and vendor tiering in the TPRM ecosystem.
• Increase trust by standardizing around third-party validated assurance mechanisms instead of one-off self-attested questionnaires to improve efficiency and effectiveness on both sides.
• Share assessment results electronically to improve efficiency and effectiveness while delivering faster time to insights.
• Driving constant security improvement through continuous monitoring and remediation reporting.

About the Survey

The survey is designed to capture perspectives from healthcare Covered Entities and Business Associates.

Executive Summary

Survey questions are designed to gain an understanding of the standard practices used by healthcare organizations to assess the cyber risk of their suppliers and how those suppliers provide assurances of their cyber security capabilities. The complete data set in the Appendix will provide insights into how current practices reveal gaps in assessment quality, frequency, and continuous monitoring of remediation efforts that are central to more effective risk management. This section focuses on the top-level findings around the most significant challenges and where organizations need help to make TPRM more effective.

Primary Challenges and Pain Points

The Health3PT survey gathered information from Covered Entities and Business Associates to identify pain points in the current process and pinpoint opportunities for improvement.  In addition, each group was asked how satisfied they were that their organization could address the common challenges associated with the current TPRM processes. 

Covered Entities: From the table below, you can see that most organizations need help with these aspects of TPRM:

• Keeping pace with the volume of security assessments they receive.
• Getting vendors to address and fix identified information security deficiencies.
• Excessive turnaround time for assessments.

Receiving transparent assurances from vendors to satisfy the request the first time.

Business Associates: From the table shown below, you can see that most organizations need help with these aspects of TPRM:

• Customers unwilling to accept third-party validated assessments and certifications in place of proprietary control questionnaires.
• Handling the variability of questionnaires and audits.
• The resources and time required to meet compliance requirements.

Key Survey Takeaways

The State of Healthcare Third-Party Cyber Risk Management survey confirms and highlights several significant findings:

• Both Covered Entities and Business Associates feel overwhelmed and report substantial challenges with current healthcare TPRM processes.
• Business Associates experience audit fatigue from the sheer volume and variability of proprietary security questionnaires they receive from their customers.
• Covered Entities can’t keep pace with the volume of questionnaire responses they receive from their vendors, and they often need to follow up because information they receive rarely satisfies the request the first time.
• Neither party sees the current process as effective to prevent data breaches.
• There is a shared vision for a desired future state that adds efficiency by leveraging additional collaboration, standardization, and automation.

Health3PT Recommended Practices for Better TPRM

By combining survey learnings along with perspectives shared at a recent Vendor Risk Management Summit and long-standing experience from healthcare information security and risk management professionals, Health3PT recommends the following Best Practices for TPRM success:

1. Concise contract language tying financial terms to a vendor’s transparency, assurance, and collaboration on information security matters.
2. Risk tiering strategies that drive the frequency of reviews, the extent of due diligence, and the urgency of remediation.
3. Appropriate, reliable, and consistent assurances of security capabilities based on the vendor’s level of inherent risk.
4. Follow-up through to closure of identified gaps – including formal Corrective Action Plans (CAPs)
5. Recurring updates of vendor assurances.
6. Metrics and reporting on organization-wide vendor risks.

Establishing and adopting these more effective and efficient TPRM processes will transition TPRM in healthcare from a superficial check-the-box exercise that exposes organizations to unnecessary risks to more robust, collaborative information protection programs that will ultimately benefit all participants across the healthcare community.

The guiding principles for the Health3PT Initiative are…

About Health3PT

The Health 3rd Party Trust Initiative is governed by a council of professionals from leading care providers, health systems, and other healthcare organizations committed to reducing third-party information security risk with more reliable and consistent assurances. health3pt.org

Appendix

This Appendix shows each survey’s exact questions and answers for Covered Entities and Business Associates.

Covered Entities (n=59)

Challenges

1. How satisfied are you that your organization can effectively address these common risk management challenges?

Challenge	Dissatisfied	Neutral	Satisfied
Identification of vendors that receive or access sensitive information	12%	41%	47%
Determining the level of inherent risk a vendor presents?	29%	29%	42%
Getting vendors to respond to assessment requests?	24%	47%	29%
Receiving transparent assurances from vendors to satisfy the request the first time	38%	40%	22%
Keeping pace with the volume of vendor security assessments	50%	34%	16%
Turnaround time for assessments	43%	36%	21%
Getting value from the results of the assessment	28%	38%	34%
Getting vendors to address deficiencies	48%	38%	14%
Support of internal alignment with other business functions	34%	29%	36%
Keeping up with changing threats and risks associated with vendors	36%	34%	29%

Current Practices

2. Do you have contractual language for security requirements that must be met before onboarding a vendor?

• 85%       Yes
• 15%       No

3. What forms of assessments do you accept from your vendors today? (Choose all that apply)

• 14%       SIG Questionnaires
• 27%       Custom/Proprietary Questionnaires
• 27%       Third-party Validated Assessment Opinion Reports (SOC 2)
• 27%       Third-party Certification Reports (HITRUST, ISO)
• 5%         Other

4. If you use surveys or questionnaires to assess third-party risk, what framework(s) or standards are they based on? (Choose all that apply)

• 23%       NIST (800-53, 800-171)
• 8%         SIG
• 20%       NIST CSF
• 15%       ISO 27001-2
• 23%       HITRUST
• 8%         AICPA Trust Services Criteria
• 3%         None of the above

5. What percentage of your vendor population does your organization assess?

• 9%         <5%
• 3%         6-10%
• 24%       11-25%
• 17%       26-50%
• 27%       51-80%
• 20%       >81%

6. What percentage of your vendor population is regularly reassessed (at least annually)?

• 29%       <5%
• 9%         6-10%
• 27% 11-25%
• 15%       26-50%
• 8%         51-80%
• 12%       >81%

7. How do you obtain updates on remediations from your vendors?

• 12%       Vendors proactively update us as they remediate gaps.
• 29%       We reach out for a status update on all remediation actions.
• 36%       We reach out for status updates based on gaps or vendor criticality.
• 8%         We revisit remediation updates at the time of contract renewal.
• 15%       We do not receive remediation updates.

8. Do you believe your current vendor risk management process is efficient (value vs. effort)?

• 32%       Yes
• 68%       No

9. Do you believe your current vendor risk management process is effective in terms of preventing data breaches?

• 40%       Yes
• 60%       No

Indicators to establish a better TPRM model:

10. Please indicate the level of importance for each statement below in terms of making vendor risk management more efficient and effective.

Statement	Unimportant	Neutral	Important
Create norms around inherent risk and vendor tiering in the TPRM ecosystem	3%	12%	85%
Standardize around third-party validated assurance mechanisms instead of one-off self-attested questionnaires to improve efficiency and effectiveness on both sides	5%	10%	85%
Receive vendor assessment results electronically to gain faster time to insights and enable your resources to do higher value risk management activities	9%	7%	84%
Drive constant security improvement through continuous monitoring and remediation reporting	2%	14%	84%

Covered Entity Respondents Firmographics

11. What is your role in the organization?

• 10%              C-level
• 31%              VP/Director
• 36%              Manager
• 23%              Other

12. In which department do you work?

• 56%              IT Security
• 10%              Vendor Risk Management
• 2%                Procurement
• 25%              Compliance
• 7%                Business/Other

13. What is the size of your organization in annual revenue?

• 27%              <$100M
• 20%              $101-$499M
• 11%              $500-$999M
• 25%              $1B-$5B
• 17%              >$5B

Business Associates/Vendors/Suppliers (n=128)

Challenges

1. How satisfied are you that your organization can effectively address these common risk management challenges?

Challenge	Dissatisfied	Neutral	Satisfied
Handling the volume of questionnaires/audits	24%	28%	48%
Handling the variability of questionnaires/audits	39%	28%	33%
Time allowed to provide quality responses/evidence back to requesting customers	27%	34%	39%
Ability to report ongoing remediation progress to customers	27%	29%	44%
The willingness of customers to accept validated assessments and certifications in lieu of their proprietary control questionnaires	47%	23%	30%

Current Practices

2. What percentage of your customers ask for cybersecurity assurances to enable a business relationship?

• 5%                <5%
• 4%                6-10%
• 11%              11-25%
• 10%              26-50%
• 20%              51-80%
• 50%              >81%

3. What percentage of your customers regularly reassess your organization or ask to see progress on remediation?

• 10%              <5%
• 11%              6-10%
• 20%              11-25%
• 13%              26-50%
• 24%              51-80%
• 22%              >81%

4. What assurance mechanisms do you provide to fulfill customer cybersecurity requests (Check all that apply)

• 14%              SIG Questionnaires
• 28%              Custom/Proprietary Questionnaires
• 22%              Third-party Validated Assessment Opinion Reports (SOC 2)
• 28%              Third-party Certification Reports (HITRUST, ISO)
• 6%                Other

5. If you selected C or D in question 4, what percentage of your customers will forgo the use of their proprietary questionnaire during security due diligence if you provide a third-party validated assessment or certification?

• 23%              <5%
• 10%              6-10%
• 15%              11-25%
• 19%              26-50%
• 15%              51-80%
• 7%                >81%
• 11%              Not applicable

6. Do you believe the current process for providing cyber risk assurances is efficient?

• 21%              Yes
• 79%              No

7. Do you believe the current process of providing cyber risk assurances effectively prevents data breaches?

• 28%       Yes
• 72%       No

Indicators to establish a better TPRM model:

8. Please indicate the level of importance for each of the potential solution elements below.

Statement	Unimportant	Neutral	Important
A collaborative approach to understanding the assurance requirements of your organization based on the inherent risk you present to your customer.	7%	12%	81%
Standardize third-party validated assurance mechanisms that cover the scope of the business relationship instead of one-off questionnaires to improve efficiency and effectiveness on both sides.	5%	8%	87%
Ability to share your assessment results electronically to provide your customer faster time to insights and decision making.	8%	11%	81%

Business Associate Respondents Firmographics

9. What is your role in the organization?

• 30%              C-level
• 38%              VP/Director
• 15%              Manager
• 17%              Other

10. What is the size of your organization in annual revenue?

• 65%              <$100M
• 16%              $101-$499M
• 9%                $500-$999M
• 5%                $1B-$5B
• 5%                >$5B

11. What is your business category?

• 6%                Healthcare Insurance
• 8%                Hospital/Clinical Health Services Provider
• 3%                Pharma/Biotech
• 4%                Medical Device Manufacturer
• 56%              Business Services (software, consulting, hardware)
• 21%              Other

---

About the Author