BOSTON – Chief information security officers from Intermountain Health, Northwell Health and Renown Health shared insights and guidance on how to make third-party management a priority during the 2022 HIMSS Cybersecurity Forum.
Rather than focus on the very data-specific view of third-party risks, Erik Decker, assistant vice president and CISO at Intermountain Healthcare, opened the third-party risk management panel by positing a hypothesis and focusing the attendees on the mission-critical nature of healthcare providers’ third-party services.
“It’s not highly sophisticated [advanced persistent threats], nation-state actors that are spending exorbitant amounts of resources to get into your organization,” he said.
“It’s in fact, a lack of basic controls, some basic hygiene and some basic issues that we thought we had covered, but in actuality, we might not have had covered.”
Decker was joined by Kathy Hughes CISO of Northwell Health and Steven Ramirez CISO of Renown Health.
The pivot and the considerations
If third-party vendors critical to delivering healthcare services go down, it can acutely impact the function of care delivery.
“I think we need to also pivot in thinking about the problem state,” Decker said.
While electronic health records are an obvious critical third-party system, there are medical devices that require computations in the cloud where a compromise on those systems would have clinical implications.
There are also third parties that supply core services – syringes, laundry, medical equipment and more.
“If they go down, how does that impact your hospital?” he asked.
Decker also cited the “Kronos effect” – the convergence of major suppliers that can impact care when they are attacked.
Because these major suppliers provide innovative services that improve operations, “they become very target-rich for causing maximum damage and maximum impact,” he said.
There are also those affiliates with back-end access that increase the attack surface.
From transactional to continuous monitoring
Hughes cautioned that the usual process of vendor risk management analysis – asking the appropriate questions to get a risk profile – is a “snapshot in time.”
Collecting information about a third party’s risk management program is based on the type of data the organization will empower or enable a vendor to support for them, along with the amount of data, the number of users, where the data is going to be located, what the use case is, what devices or systems are involved, etc.
Risk analysis causes friction “because it does that such a large amount of time,” and it identifies gaps, “it’s still a very manual and labor-intensive process,” she said.
To address the transactional nature of assessment, a more holistic approach that aligns with business impact analysis language begins with capital planning, according to Ramirez.
“If we can get ahead of the table and look at high-risk vendor, high-risk processes beforehand, we can start to put those supplemental controls in place” to avoid a domino effect, he said.
Having one or two or three potential vendors in those discussions can help bake continuity into the business impact analysis process.
Hughes said that establishing inter-departmental relationships is essential to communicate risks, “because there is no such thing as risk-free, there is always some level that has to be accepted.”
Collaboration helps everyone understand what the risks are, she said.
“It’s really about trying to make that process as frictionless as possible.”
Keeping discussions live with key stakeholders helps keep the pulse on changes that evolve over time with vendors, new vendors and interdependencies, Ramirez added.
Scaling risk assessment processes
“As we do hundreds of thousands of these assessments, that bleeds into hundreds of thousands of issues that we see and find which means, hundreds of thousands of different things you have to manage,” said Decker.
If something comes up with the risk analysis, Hughes said the organization will negotiate with that vendor to get a commitment to comply with its standards and put that in the contract language.
“Overall, that will reduce the residual risk from say a medium or high down to a low – if they meet those commitments,” she said, adding that the vendor has to meet commitments by certain dates, which the organization tracks and follows up on.
“Usually we find that vendors are very receptive because they know that all healthcare organizations are asking the same questions and are just really looking to protect the systems and the data.”
Vulnerability management teams that also monitor those outward-facing scorecards by insurance carriers that review a healthcare organization’s perimeter cybersecurity and infer controls inside provide a starting point to grow maturity, said Ramirez.
“It’s one component to the overall bigger picture,” but those risk scores provide an opportunity to drive more optimization, he said.
Hughes noted that those risk cards relied upon by cyber insurance carriers are also reviewed by threat actors looking at them.
“They are going to target those organizations that perhaps aren’t as secure,” she noted.
Decker asked if organizations are dedicating resources to fix vendor inaccuracies, is that actually value-added time?
Healthcare organizations share thousands of vendors and will have some of the same questions during risk assessments, he said.
If healthcare organizations could register their critical vendors, and other healthcare organizations that are conducting a risk assessment of those vendors have something “pop,” such a “crowdsourcing” system could minimize risk assessment pipelines, Decker suggested.
Building a culture of cybersecurity
Aligning clinical care to business operations, Hughes said a separate business continuity crisis management team has various departments looking at their downtime procedures.
“They have not been thinking in terms of weeks and months,” she said.
Make sure there are plans in place and alternative vendors are identified and exercise them, she advised.
Ramirez said tabletop exercises are essential, and he likes to take advantage of downtimes to learn lessons – “why does something not work well?” – and then emphasize points of failure.
“If you’re looking for a place to start, I would suggest you outline lab imaging, pharmacy and your EMR,” said Decker. “And consider how you would be out of those for over a month, and what that looks like and, what are the solutions you need to have at the ready to stand up.”
He also pointed attendees to the Health Industry Cybersecurity Supply Chain Risk Management Guide by the Health Sector Coordinating Council, which he is chair of, for more third-party risk management guidance.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS publication.