BLOG

Blog Post by Britton Burton, Senior Director of Product Strategy at CORL Technologies

---

Cloud Security Alliance (CSA) recently released new guidance on managing third-party cyber security risk in healthcare that offers some practical and useful tips for defenders to consider.

The report comes on the heels of a new industry report from IBM that cites healthcare as the highest sector for breach costs. The IBM report also notes that 45% of breaches were cloud-based and almost one fifth of breaches occurred because of a compromise at a third-party business partner. [1]

The CSA report is organized around the NIST Cyber Security Framework (NIST CsF) by using the 5 top-level CSF functions (Identify, Protect, Detect, Respond, Recover) to make its recommendations.

CSA is a trusted source of cloud security thought leadership. CORL, and our sister company Meditology Services, are pleased to see them expanding their research into the third-party space.

The Vendor Risk Management Problem in Healthcare

As in most sectors, healthcare organizations rely more and more on third parties for critical services. Most of these third parties either store or process PHI on behalf of the healthcare organizations or connect to the healthcare organization’s network.

Attackers are well aware of this trend. This reliance on third parties expands the attack surface for healthcare organizations. Attackers are shifting their focus to these third parties to directly compromise healthcare organizations data or as a vector for gaining access to healthcare organizations rather than trying to compromise their systems directly.

CSA cites 3 main reasons that the healthcare industry is struggling to wrap their arms around this growing dynamic:

1. The pace of digital spread in applications, data and medical devices is unmanageable with current mostly manual processes
2. Cost and time of conducting vendor risk assessments prevents healthcare organizations from assessing large swaths of their vendor populations
3. Healthcare organizations have partially deployed or failed to deploy many critical vendor management controls.

The bottom line, as stated by CSA, is that “Third parties have been responsible for almost half of all data breaches.”

Identify

CSA’s recommended approach to this CSF function is to implement processes to identify new third parties and changes to existing ones. While it does not go into detail on how to assemble this inventory, the most common approach is to work with procurement to identify what vendors are currently being paid and to create vendor capture steps during new contract negotiations. If you need assistance identifying your vendors, consider partnering with a service to take some of the heavy lift off of your resources.

Once the healthcare organizations  vendors are identified, the report discusses the importance of establishing an Inherent Risk rating system for your vendors. This Inherent Risk system will help healthcare organizations  determine appropriate levels of oversight and set relevant expectations for continuous monitoring and re-assessment for each vendor.

The paper lists some examples considerations for Inherent Risk scoring that include determining if the vendor has access to PHI, data stored in cloud, uses fourth parties, and if the vendor is financially sound, but it stops short of providing the reader an implementable model or calculation for inherent risk. CORL has an inherent risk and vendor prioritization and tiering model that was developed alongside the nation’s leading healthcare organizations. Contact our team if you need help with inherent risk scoring.

Protect

The core of the Protect section of the paper advises the use of third-party risk assessments and risk treatment work against the vendor population.  Healthcare organizations should conduct risk assessments against their vendors with frequency and depth defined by inherent risk rating tiers.

Some suggestions the paper provides for vendor risk assessments include security control questionnaires, financial risk of the vendor, and assessing risk of business continuity disruption for the healthcare organization if the vendor has a business continuity disruption. CSA also suggests requesting that your vendors provide trusted certifications like HITRUST and SOC2 or 3^rd party conducted assessments against a recognized standard like NIST CSF.

On the vendor risk treatment front, it includes recommendations on the elements that should be included in a healthcare organization’s vendor risk treatment plans, but most notably it includes some outstanding advice on practical steps to implement this vendor risk assessment process.

• Identify asset ownership for each third-party service or tool in the inventory
• Create and periodically review third-party service level agreements (SLAs) and Business Associates Agreements (BAA)
• Establish a channel for communicating threats and risks to the third party
• Construct risk profiles for every third-party vendor. A risk profile provides an overall impact to the organization (e.g., revenue, services, security, etc.) in case of an incident
• Implement mitigating controls for securing third-party entry and exit points
• Devise a remediation activity timeline for each risk identified during the assessment phase (e.g., threat modeling, application penetration testing, and source code analysis)
• Audit security controls implemented by the third-party vendor for the organization’s data. Data segregation with other organizations is important in case of a breach
• Examine access to systems from third-party vendors

Detect

The Detect section of the paper focuses on the need for a healthcare organization to continuously monitor its vendors. CSA explains continuous monitoring to include obtaining a view of vulnerabilities that vendors expose to the internet, validating annual security questionnaires, and using threat intel service providers to harvest relevant threat data targeted to your vendor population.

Respond

CSA focuses on the need to create an Incident Response playbook to contain the impact of a potential event. While most organizations have an IR playbook these days, many are still lacking specific sections that cover the nuances of an IR effort that spawns from a third party.

CSA lists some outstanding tips that should be included in that third-party IR playbook:

• Shut Off Access. Companies need to be able to shut off access to third parties affected by a cyberattack. Organizations should segregate third-party cyber assets from the rest of the network
• Determine whether the third-party breach has affected your organization. If it has, your next step is to conduct a forensic analysis to understand the extent of the incident and its impact
• Assess liability from third-party involvement in breach, and check contract terms and conditions
• Mitigating the damage. This can be done through additional security tasks and tools to minimize any further incursion into your systems
• Communicate to stakeholders what has happened, the impact, and your recovery plan
• If the incident involves a breach of critical infrastructure, it must be reported to the Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) within 72 hours. This is a new requirement passed in March 2022
• Conduct a root cause analysis to determine how to prevent the incident from recurring
• Documenting the organization’s response, what worked, what didn’t, what improvements are needed, and the plan for implementing them next time
• Continue In-house. Organizations should have a plan for running services in-house in the event of an incident

Recover

CSA champions the term “cyber resilience” in the Recover section, which is becoming a well-established term in the industry. The vendor’s job in recovery is to assess how it can return to normal operations quickly. That includes restoring systems, the services that vendor provides to the healthcare organization, and planning how to better protect themselves against future incidents.

The healthcare organization must focus on continuing patient care. To do this, CSA recommends the organization have a team identified to manage the recovery, but CSA really seems to focus more on having a Business Continuity approach. “Once an event has been identified, the team should actively engage vendors to identify alternative sourcing for the service provided by the affected vendor. These sources should be engaged to provide essential services until full service can be restored.”

Cloud Considerations

In addition to the 5 CSF functions covered in this paper, CSA adds some good information to consider when your third parties are using cloud resources. This is a welcome addition given the position CSA holds as a trusted thought leader in the cloud security and cloud controls space.

CSA offers up 6 main risk areas that healthcare organizations should prepare for in cloud computing:

1. Data security and internal controls
2. Data transmission
3. Multitenancy and possible commingling of data
4. Location of data (including possibly outside of the US)
5. Reliability of cloud resource availability
6. Sustainability (meaning the cloud provider’s DR and BC plans)

CSA also mentions 5 security measures that healthcare organizations should require of their cloud providers:

1. Multifactor authentication
2. Data encryption, both at rest and in transit
3. Federated access control includes adaptive access and identity proofing
4. Security policies to manage the activities of their users in the cloud environment
5. Require the vendor to have a FedRAMP or CSA STAR certification

Automation

Finally, CSA closes this paper with a nod to the importance of healthcare organizations embracing automation to manage their third-party risk. It lists several benefits of automation in third party risk management program, including efficiency and speed, but it does not give specific ideas or examples of how organizations can do it.

That’s where CORL can help!

CORL Can Help: Rely on a Trusted Partner to Help You Solve for Third-Party Risk Management

This research from CSA provides outstanding directional guidance for healthcare organizations to effectively manager third party risk programs, but it stops short of getting into specific detail in many areas. That real-world implementation is where many organizations struggle.

CORL is a service-centered solution for vendor risk management, compliance, and governance that is 100% focused on the unique needs of the healthcare space. Through our managed assessment workflow, our proactive approach to vendor validation and data reuse, and our novel models for accessing and utilizing vendor risk data, we empower healthcare stakeholders to transform TPRM into the powerful enabler it should be.

Many of the key points stated in the paper are reflected in our offering:

Data Reuse and TPRM Assessment Exchange

• CORL has already assessed over 80,000 healthcare vendors.
• Assessment data reuse delivers rapid assessment turnarounds.
• Our proactive approach to vendor validation provides risk results you can trust without further follow up with vendors.

Automation

• CORL’s vendor portal and automated workflow accelerate assessment data collection, analysis, and reporting.
• Automation allows CORL to scale assessments to cover your full vendor portfolio, and we represent an estimated 70% of healthcare vendors today.

Workflow & Process

• Our proven workflow is animated and elevated through the collective efforts of our expert teams, which drive unprecedented velocity and scale.
• CORL’s inherent risk intelligence for vendor types, tiering and prioritization, and remediation follow up accelerate vendor risk management cycles.

Technology Integration

• We are committed to bringing together the best technology and human expertise have to offer to solve the TPRM problem for healthcare.
• CORL integrates with technology solutions including GRC platforms, scorecards, and others to get the right information in the right format to drive rapid risk decisions.

Managed Services

• With expert teams focused on market research, client experience, data validation, service quality, and vendor facilitation, CORL goes beyond technology alone to elevate process integrity, speed, and efficiency.
• Our specialized third-party risk management professionals get results by rapidly assessing vendors and driving them to remediate known risks, effectively elevating cybersecurity standards across your entire vendor landscape.
• In addition, we also provide a strategic partnership that is focused on empowering information security leaders to understand and manage vendor impact and risk factors like never before.

Conclusion

CORL agrees with CSAs assessment of the growing third-party risk landscape. Engaging in transformative movements like virtual care, personalized medicine, and predictive analytics leaves providers and payors with a greater variety of vendors than ever before. These vendors, who handle an unprecedented amount of PHI, have the potential to transform healthcare - but they also have the potential to threaten the very bedrock of patient trust. The threat landscape has followed suit with a renewed commitment to compromising vendors through an increasingly sophisticated arsenal of tactics.

Do not face this challenge alone! Contact our team here at CORL to learn more about our service-centered solution that gets results and solves for third party risk at every level of your organization.