BLOG

The last 20 years have seen a steady escalation in cybersecurity risks associated with third-party vendors servicing the healthcare industry. This escalation has culminated with an exponential increase in vendor breaches and operational impacts to healthcare organizations that shows no signs of slowing down any time soon. 

Our team at CORL Technologies has been at the helm of developing and innovating cybersecurity and Third-Party Vendor Risk Management (TPRM) solutions for the healthcare industry for over 25 years. 

In this blog post, we share our insights and observations on the trends that have unfolded over the last two decades in healthcare vendor risk management and our forecasts for TPRM in the next decade to follow.  

This blog is accompanied by a companion infographic that gives a visual representation of the timeline of key events on this journey.

Healthcare TPRM Trends Timeline 

The following timeline provides a summary of key milestones in the evolution of TPRM in healthcare from 2000 to present alongside a TPRM forecast through the year 2030.  

These trends are illustrated through the lens of healthcare industry business shifts, vendor risk exposures, and TPRM program investments and models. 

2000 - 2005 

Healthcare Industry

• Leading healthcare entities begin movement from paper to electronic health records 
• Most electronic healthcare and financial systems operate from on-premises datacenters 
• The HIPAA Security Rule goes into effect 

Vendor Risks

• Breaches of patient information and systems begin to accumulate, but the lack of a reporting mandate results in most breaches being handled internally by healthcare entities 
• Publicly reported third-party cyber breaches are rare and almost non-existent 

TPRM Programs

• Vendor risk management functions in healthcare are limited largely to physical access and vendor financial viability and do not include cybersecurity vetting 
• Vetting of cybersecurity risks for electronic systems are largely conducted as part of enterprise-wide security risk assessments, annual financial audits, or not evaluated at all for many healthcare entities 

2005 - 2010 

Healthcare Industry

• HITECH ACT is passed which includes the Meaningful Use Electronic Health Records (EHR) incentive program which accelerates adoption of EHR solutions and movement away from paper records 
• The Breach Notification Rule become effective, making it a federal law for healthcare entities and business associates to report breaches to HHS on a routine basis 
• Early adoption of cloud hosting and Software as a Service models begins for electronic health records and other applications 

Vendor Risks

• Breaches of patient data and systems become widespread, but the continued lack of reporting of incidents creates blind spots for the industry as the scope and scale of cybersecurity breaches 
• HHS creates the breach portal, otherwise known as the “wall of shame”, to disseminate publicly reportable healthcare breach events 

TPRM Programs

• Cybersecurity vetting of third-party solutions is mostly limited to “tier 1” critical systems including Electronic Health Records and financial platforms 
• Dedicated TPRM programs are largely non-existent in healthcare and run through traditional information security teams 
• Vendor security audits are rare and responses are often handled by sales teams on the vendor side 
• Vendor security questionnaires become the most common TPRM audit and assessment vehicle 
• CORL’s CEO, Cliff Baker, architects the HITRUST Common Security Framework (CSF) as a model to certify healthcare vendors on cybersecurity practices 
• CORL Technologies is envisioned and work begins to design a dedicated solution for healthcare third-party vendor risk management 

2010 – 2015 

Healthcare Industry

• Digitization of healthcare gets mainstream momentum and the sharing of patient information with third-party vendors and technology platforms becomes commonplace 
• The Patient Protection and Affordable Care Act (ACA) authorizes the use of Accountable Care Organizations (ACOs) which drives up the creation of third-party healthcare data analytics platforms 
• Large volumes of electronic patient data begin to proliferate within and outside of healthcare entities for business support, research, clinical optimization, debt collection, and many other use cases 
• Cloud platforms become mainstream and adoption accelerates for healthcare vendors, products, and services 

Vendor Risks

• Reportable breaches of patient information and systems begin to pour into HHS from both Covered Entities and Business Associates (vendors) 
• The vast majority of third-party vendor breaches involve lost or stolen laptops and portable media that are unencrypted, though some network hacking breaches are also reported1 
• Major vendor breaches outside of healthcare raise the stakes for TPRM including Target and Home Depot 

TPRM Programs

• CORL Technologies is incorporated and the healthcare industry’s first dedicated TPRM managed service and cyber risk score is created for healthcare vendors 
• Healthcare organizations begin to contractually require vendors to obtain and maintain cybersecurity certifications like HITRUST and SOC 2 
• Dedicated TPRM resources and teams begin to be created for leading healthcare organizations 
• CORL receives GRC Technology Innovation Award2 for leading the healthcare industry in third-party vendor risk management innovation 

2015 – 2020 

Healthcare Industry

• The volume of vendors providing technical solutions to healthcare booms and the vast majority of vendors servicing healthcare have access to electronic patient data 
• The Office for Civil Rights (OCR) begins to shift focus on HIPAA enforcement to include third-party business associates 

Vendor Risks

• Data analysis of vendor risks demonstrates that smaller vendors with immature security programs begin to introduce the highest risks to healthcare entities 
• Medical device and IoT security risks surface for healthcare providers and device manufacturers 
• “Mega breaches” begin to surface including Facebook’s unauthorized sharing of private data for over 50 million users with the third-party firm, Cambridge Analytica  
• American Medical Collections Agency (AMCA) breach impacts 25 million patients 
• Reportable breaches in healthcare increase 178% from 2015 to 2020.3 

TPRM Programs

• Cybersecurity certification adoption accelerates as more healthcare entities require vendors to be certified 
• Dedicated TPRM resources and teams start to become commonplace and standard practice for mid-to-large-sized organizations 
• The healthcare market gets crowded with TPRM technology solutions including cyber risk scoring companies, Governance, Risk, and Compliance (GRC) tools with TPRM functionality, security questionnaire automation solutions, and more 
• Healthcare vendors begin to get overwhelmed with the volume and depth of cybersecurity risk audits and start to add dedicated team members to respond to assessments 
• CORL launches dedicated service and model for vendors to help them respond to vendor risk assessments 
• CORL reaches milestone of assessment of over 50,000 healthcare vendors for cyber risks 

2020 – 2023 

Healthcare Industry

• Ransomware becomes a top threat vector for healthcare vendors 
• Majority of breaches shift from lost and stolen portable devices to external hacking sources targeting healthcare and the healthcare supply chain 
• Class action lawsuits begin to emerge for healthcare entities and their vendors following public breaches 

Vendor Risks

• SolarWinds vendor attack impacts thousands of companies globally 
• Kaseya vendor infected with ransomware and impacts thousands of organizations 
• Apache Log4j breach exposes significant global risks from fourth-party technology solutions 
• CORL begins publishing CORL Vendor Breach Digest illustrating an average of 15-30 healthcare vendor breaches every two weeks 
• President Biden issues two executive orders on supply chain risk management 
• NIST updates NIST SP 800-53 to include a domain dedicated to supply chain risk management 
• The CISA, FBI, and other federal agencies issue guidance on supply chain risk management 

TPRM Programs

• Dedicated TPRM teams and programs become standard practice for many healthcare organizations 
• Most mid-to-large-sized healthcare entities deploy one or more TPRM technology and services solutions 
• The average healthcare organization assesses less than 5% of their third-party vendor portfolio 
• CORL establishes position market-leading position as premier technology and managed services provider for TPRM for the healthcare industry and takes major growth investment  
• CORL reaches milestone of assessment of over 90,000 healthcare vendors for cyber risks and creates data reuse model to accelerate validated assessments of vendors 

2023 – 2030+ 

The publication date for this blog is in 2022. The following timeline is a forecast of healthcare TPRM trends based on CORL’s experience as an industry-leading TPRM solution provider dedicated to healthcare. 

Healthcare Industry

• Cloud-hosted platforms and third-party vendors become the primary custodians of electronic patient information; on-site data centers at healthcare organizations become endangered  
• HIPAA law overhauls and related bills are drafted and passed that place a strong emphasis on third-party vendor risks and related enforcement 
• State laws begin to surface to address third-party cybersecurity and supply chain risks 
• Class action lawsuits increase in frequency and put pressure on healthcare entities and vendors to invest in cybersecurity protections 
• Healthcare cybersecurity certifications including HITRUST and SOC 2 become standard cost of doing business for vendors servicing the healthcare industry 

Vendor Risks

• Vendor breaches continue to escalate exponentially in healthcare and other industries creating an untenable risk situation for healthcare organizations 
• Medical device and IoT risks introduce unprecedented risks to patient safety and medical device manufacturers come under increased scrutiny and regulatory pressure 
• Nation states and cybercriminals continue to target the healthcare vendor supply chain to “hack once and breach many” organizations 
• Supply chain breaches and risk management programs evolve beyond third-parties to fourth-parties and beyond 
• Vendors increase investments in cybersecurity programs, teams, and certifications 

TPRM Programs

• Consolidation of TPRM solution providers accelerates to include optimized use of vendor risk data, validation, automation, and services without having to implement multiple solution providers 
• TPRM programs move away from questionnaire-centric models towards assurance models via certifications and other validation vehicles to scale to full coverage of vendor portfolios 
• Programs invest heavily in vendor risk automation to scale coverage, reduce turnaround time, and reduce costs  
• Vendors begin to get more organized and drive assessment and assurance standards that create less variance and cost for providing cybersecurity assurances to the market 
• Data-driven analytics and risk decision support become fundamental components of TPRM programs and solutions 

Conclusion 

The healthcare industry has been on a wild ride the last 20 years. The introduction of digital health and the technology boom driven by third-party vendors have introduced new risks that the industry is still struggling to manage.  

CORL has been here through it all. We appreciate the opportunity to have developed innovative TPRM solutions and are looking forward to working together with the industry to continue to develop and introduce new solutions to keep pace with these accelerating supply chain risks.