BLOG

The History and Future of Third-Party Risk Management in Healthcare

The last 20 years have seen a steady escalation in cybersecurity risks associated with third-party vendors servicing the healthcare industry. This escalation has culminated with an exponential increase in vendor breaches and operational impacts to healthcare organizations that shows no signs of slowing down any time soon. 

Our team at CORL Technologies has been at the helm of developing and innovating cybersecurity and Third-Party Vendor Risk Management (TPRM) solutions for the healthcare industry for over 25 years. 

In this blog post, we share our insights and observations on the trends that have unfolded over the last two decades in healthcare vendor risk management and our forecasts for TPRM in the next decade to follow.  

This blog is accompanied by a companion infographic that gives a visual representation of the timeline of key events on this journey.

Healthcare TPRM Trends Timeline 

The following timeline provides a summary of key milestones in the evolution of TPRM in healthcare from 2000 to present alongside a TPRM forecast through the year 2030.  

These trends are illustrated through the lens of healthcare industry business shifts, vendor risk exposures, and TPRM program investments and models. 

2000 - 2005 
Healthcare Industry
  • Leading healthcare entities begin movement from paper to electronic health records 
  • Most electronic healthcare and financial systems operate from on-premises datacenters 
  • The HIPAA Security Rule goes into effect 
Vendor Risks
  • Breaches of patient information and systems begin to accumulate, but the lack of a reporting mandate results in most breaches being handled internally by healthcare entities 
  • Publicly reported third-party cyber breaches are rare and almost non-existent 
TPRM Programs
  • Vendor risk management functions in healthcare are limited largely to physical access and vendor financial viability and do not include cybersecurity vetting 
  • Vetting of cybersecurity risks for electronic systems are largely conducted as part of enterprise-wide security risk assessments, annual financial audits, or not evaluated at all for many healthcare entities 
2005 - 2010 
Healthcare Industry
  • HITECH ACT is passed which includes the Meaningful Use Electronic Health Records (EHR) incentive program which accelerates adoption of EHR solutions and movement away from paper records 
  • The Breach Notification Rule become effective, making it a federal law for healthcare entities and business associates to report breaches to HHS on a routine basis 
  • Early adoption of cloud hosting and Software as a Service models begins for electronic health records and other applications 
Vendor Risks
  • Breaches of patient data and systems become widespread, but the continued lack of reporting of incidents creates blind spots for the industry as the scope and scale of cybersecurity breaches 
  • HHS creates the breach portal, otherwise known as the “wall of shame”, to disseminate publicly reportable healthcare breach events 
TPRM Programs
  • Cybersecurity vetting of third-party solutions is mostly limited to “tier 1” critical systems including Electronic Health Records and financial platforms 
  • Dedicated TPRM programs are largely non-existent in healthcare and run through traditional information security teams 
  • Vendor security audits are rare and responses are often handled by sales teams on the vendor side 
  • Vendor security questionnaires become the most common TPRM audit and assessment vehicle 
  • CORL’s CEO, Cliff Baker, architects the HITRUST Common Security Framework (CSF) as a model to certify healthcare vendors on cybersecurity practices 
  • CORL Technologies is envisioned and work begins to design a dedicated solution for healthcare third-party vendor risk management 
2010 – 2015 
Healthcare Industry
  • Digitization of healthcare gets mainstream momentum and the sharing of patient information with third-party vendors and technology platforms becomes commonplace 
  • The Patient Protection and Affordable Care Act (ACA) authorizes the use of Accountable Care Organizations (ACOs) which drives up the creation of third-party healthcare data analytics platforms 
  • Large volumes of electronic patient data begin to proliferate within and outside of healthcare entities for business support, research, clinical optimization, debt collection, and many other use cases 
  • Cloud platforms become mainstream and adoption accelerates for healthcare vendors, products, and services 
Vendor Risks
  • Reportable breaches of patient information and systems begin to pour into HHS from both Covered Entities and Business Associates (vendors) 
  • The vast majority of third-party vendor breaches involve lost or stolen laptops and portable media that are unencrypted, though some network hacking breaches are also reported1 
  • Major vendor breaches outside of healthcare raise the stakes for TPRM including Target and Home Depot 
TPRM Programs
  • CORL Technologies is incorporated and the healthcare industry’s first dedicated TPRM managed service and cyber risk score is created for healthcare vendors 
  • Healthcare organizations begin to contractually require vendors to obtain and maintain cybersecurity certifications like HITRUST and SOC 2 
  • Dedicated TPRM resources and teams begin to be created for leading healthcare organizations 
  • CORL receives GRC Technology Innovation Award2 for leading the healthcare industry in third-party vendor risk management innovation 
2015 – 2020 
Healthcare Industry
  • The volume of vendors providing technical solutions to healthcare booms and the vast majority of vendors servicing healthcare have access to electronic patient data 
  • The Office for Civil Rights (OCR) begins to shift focus on HIPAA enforcement to include third-party business associates 
Vendor Risks
  • Data analysis of vendor risks demonstrates that smaller vendors with immature security programs begin to introduce the highest risks to healthcare entities 
  • Medical device and IoT security risks surface for healthcare providers and device manufacturers 
  • “Mega breaches” begin to surface including Facebook’s unauthorized sharing of private data for over 50 million users with the third-party firm, Cambridge Analytica  
  • American Medical Collections Agency (AMCA) breach impacts 25 million patients 
  • Reportable breaches in healthcare increase 178% from 2015 to 2020.3 
TPRM Programs
  • Cybersecurity certification adoption accelerates as more healthcare entities require vendors to be certified 
  • Dedicated TPRM resources and teams start to become commonplace and standard practice for mid-to-large-sized organizations 
  • The healthcare market gets crowded with TPRM technology solutions including cyber risk scoring companies, Governance, Risk, and Compliance (GRC) tools with TPRM functionality, security questionnaire automation solutions, and more 
  • Healthcare vendors begin to get overwhelmed with the volume and depth of cybersecurity risk audits and start to add dedicated team members to respond to assessments 
  • CORL launches dedicated service and model for vendors to help them respond to vendor risk assessments 
  • CORL reaches milestone of assessment of over 50,000 healthcare vendors for cyber risks 
2020 – 2023 
Healthcare Industry
  • Ransomware becomes a top threat vector for healthcare vendors 
  • Majority of breaches shift from lost and stolen portable devices to external hacking sources targeting healthcare and the healthcare supply chain 
  • Class action lawsuits begin to emerge for healthcare entities and their vendors following public breaches 
Vendor Risks
TPRM Programs
  • Dedicated TPRM teams and programs become standard practice for many healthcare organizations 
  • Most mid-to-large-sized healthcare entities deploy one or more TPRM technology and services solutions 
  • The average healthcare organization assesses less than 5% of their third-party vendor portfolio 
  • CORL establishes position market-leading position as premier technology and managed services provider for TPRM for the healthcare industry and takes major growth investment  
  • CORL reaches milestone of assessment of over 90,000 healthcare vendors for cyber risks and creates data reuse model to accelerate validated assessments of vendors 
2023 – 2030+ 

The publication date for this blog is in 2022. The following timeline is a forecast of healthcare TPRM trends based on CORL’s experience as an industry-leading TPRM solution provider dedicated to healthcare. 

Healthcare Industry
  • Cloud-hosted platforms and third-party vendors become the primary custodians of electronic patient information; on-site data centers at healthcare organizations become endangered  
  • HIPAA law overhauls and related bills are drafted and passed that place a strong emphasis on third-party vendor risks and related enforcement 
  • State laws begin to surface to address third-party cybersecurity and supply chain risks 
  • Class action lawsuits increase in frequency and put pressure on healthcare entities and vendors to invest in cybersecurity protections 
  • Healthcare cybersecurity certifications including HITRUST and SOC 2 become standard cost of doing business for vendors servicing the healthcare industry 
Vendor Risks
  • Vendor breaches continue to escalate exponentially in healthcare and other industries creating an untenable risk situation for healthcare organizations 
  • Medical device and IoT risks introduce unprecedented risks to patient safety and medical device manufacturers come under increased scrutiny and regulatory pressure 
  • Nation states and cybercriminals continue to target the healthcare vendor supply chain to “hack once and breach many” organizations 
  • Supply chain breaches and risk management programs evolve beyond third-parties to fourth-parties and beyond 
  • Vendors increase investments in cybersecurity programs, teams, and certifications 
TPRM Programs
  • Consolidation of TPRM solution providers accelerates to include optimized use of vendor risk data, validation, automation, and services without having to implement multiple solution providers 
  • TPRM programs move away from questionnaire-centric models towards assurance models via certifications and other validation vehicles to scale to full coverage of vendor portfolios 
  • Programs invest heavily in vendor risk automation to scale coverage, reduce turnaround time, and reduce costs  
  • Vendors begin to get more organized and drive assessment and assurance standards that create less variance and cost for providing cybersecurity assurances to the market 
  • Data-driven analytics and risk decision support become fundamental components of TPRM programs and solutions 
Conclusion 

The healthcare industry has been on a wild ride the last 20 years. The introduction of digital health and the technology boom driven by third-party vendors have introduced new risks that the industry is still struggling to manage.  

CORL has been here through it all. We appreciate the opportunity to have developed innovative TPRM solutions and are looking forward to working together with the industry to continue to develop and introduce new solutions to keep pace with these accelerating supply chain risks. 

Most Recent Posts
CISA Cyber Performance Goals: Third-Party & Supply Chain Requirements Read More
Keep Up with CORL: Vendor Breach Digest, 10/11/22 Read More
TPRM is Broken: Healthcare’s Unsustainable Approach to Third-Party Vendor Risk Management Read More