The Unintended Risks of Third-Party Cybersecurity Questionnaires
Published On January 22, 2024
Author: Britton Burton
The increasing reliance on third-party vendors in healthcare has amplified the complexity of Third-Party Risk Management (TPRM). With an estimated 1300 vendors per hospital and a significant percentage of breaches originating from third parties, Chief Information Security Officers (CISOs) are grappling with how to effectively manage this intricate landscape. While efforts are being made to address these issues, they often unintentionally expose healthcare organizations to further risks.
No Action is Bad; Misdirected Action Could Be Worse
CISOs are aware of the need to address TPRM, yet they often struggle with the scale and complexity of the task at hand. As good security leaders tend to do, they take action. However, they usually take action with great uncertainty about the most effective approach for truly solving the TPRM problem.
Currently, many organizations resort to extensive cybersecurity questionnaires containing hundreds of highly granular control questions in an attempt to assess their vendors. However, this approach brings about several unintended risks.
Becoming the "Qualified" Assessor
By asking hundreds of control questions and bearing the responsibility of reviewing the answers, healthcare organizations inadvertently become the "qualified" assessor for each of their vendors. This is a colossal task when dealing with hundreds or thousands of vendors.
Solution: Rely on qualified assessors and industry-trusted frameworks such as HITRUST, ISO 27001, and AICPA/SOC2/Type2. Ensure vendors perform routine penetration testing and have a dedicated security leader with budget and decision-making authority. In taking this approach, you shift the burden of staying current on reasonable security controls to the framework organizations, the vendor assessing against these frameworks, and the qualified assessors your vendors hire to assess their environment.
Overseeing Vendor Risk Management
Unsatisfactory questionnaire answers from your vendors lead to dozens of remediations to track for a single vendor. This places the healthcare organization in the position of owning risk management for that vendor. Now multiply that problem across the 1300+ vendors you should assess annually, and you quickly see how unmanageable it becomes. Suppose regulators examine your TPRM program due to a supply chain or third-party breach. In that case, they will likely inquire about the multitude of unresolved findings and unaddressed controls within your vendor population.
Solution: Shift the onus of risk management from the healthcare organization back to the vendor. To achieve the industry standard assurances mentioned earlier in this blog, vendors have to develop Corrective Action Plans (CAPs) and remediate findings. Put the responsibility on those qualified assessors doing the reviews to ensure that the vendors have actually completed that remediation work. Don't take that burden on your TPRM team. Instead, focus on contractually obligating vendors to achieve certifications, conduct penetration tests, remediate findings, and transparently share their progress and results with you.
The self-attested nature of questionnaires often leads to inaccurate information. Trusting vendors to provide accurate details without verification can be risky. This statement is not intended to cast doubt on the integrity of vendors in the healthcare industry. Rather, it highlights a common conflict of interest where most vendors strive to expedite the sales and contracting process. Should healthcare security teams truly rely heavily on the information they receive via these self-attested questionnaires as the most trustworthy?
Solution: Rely on validated assurances provided by qualified assessors and penetration testing organizations. A third-party questionnaire cannot replicate the validation work that goes into these assurances, and detailed control questionnaires can never scale to the size of your vendor population. This approach offers more accurate information and separates the healthcare organization from the risk ownership of the vendor's control posture.
Using extensive control-based questionnaires to manage third-party risk can inadvertently increase your organization's risk exposure rather than decrease it. It is essential to set a reasonable bar for what is expected from vendors and find ways to verify their compliance. Holding vendors accountable through remediation reporting and contractual obligations can help ensure a safer and more secure healthcare environment.
Navigating the labyrinth of TPRM is undoubtedly complex. However, by understanding the pitfalls and taking strategic steps to mitigate them, we can build a more resilient healthcare sector.
Several industry groups are uniting to champion a better approach to Third Party Risk Management (TPRM). Among them is Health 3rd Party Trust (H3PT), which CORL Technologies supports. H3PT has recently published a set of recommended practices that align closely with the recommendations discussed in this blog. Consider joining this movement if you think there must be a better way solve TPRM in healthcare.
CORL Cleared is a solution purpose-built for the healthcare industry to solve this TPRM/questionnaire problem. If you like the idea of elevating your third-party risk management approach to reasonable assurances that provide real risk insight into your vendor's security practices while keeping the obligation to manage control-level risk on the vendor, but you aren't sure how to operationalize the approach, contact us. From using CORL's platform to obtain assurances that your internal teams review on their own to a fully managed TPRM service provided by CORL that integrates results back into your GRC system, our combination of technology and managed service is flexible enough to meet you where you are. Let's solve healthcare TPRM together.