Healthcare organizations face increasing cybersecurity risks when working with third-party vendors. Experts emphasize the importance of a robust cybersecurity strategy, especially when collaborating with external partners. This article highlights key insights shared by healthcare information technology security leaders, focusing on the critical role of a Chief Information Security Officer (CISO), such as the one at United Musculoskeletal Partners, in mitigating these risks.
Implementing a comprehensive third-party risk management program, as highlighted by Krista Arndt, Chief Information Security Officer of United Musculoskeletal Partners, is crucial. This program should include a detailed inventory of all third-party vendors, their access levels, and the data they handle. This foundational element allows organizations to understand their vendor landscape and prioritize risk mitigation efforts.
Experts recommend a multi-faceted approach to vendor cybersecurity risk management, encompassing due diligence, contractual agreements, vendor risk management programs, continuous monitoring, and access control.
Due Diligence: Thoroughly vetting potential vendors is paramount. This involves reviewing their cybersecurity policies, procedures, and track record, including past security incidents and their responses. Don Kelly, Manager of the Virtual Information Security Program and CISO of Fortified Health Security, advises going beyond questionnaires and requesting evidence of compliance with established security standards.
Contractual Agreements: Contracts should explicitly outline cybersecurity expectations, data protection requirements, incident response procedures, and accountability in case of breaches. Experts suggest including non-negotiable security exhibits in contracts to ensure vendor compliance with the healthcare organization’s security posture. David Swits, Vice President and CISO of MVP Health Care, emphasizes the need for clear and enforceable contractual agreements with specified penalties for breaches.
Vendor Risk Management Programs: Establishing a dedicated program is essential for assessing, mitigating, and monitoring risks associated with third-party vendors. This program should encompass risk assessment, contractual protections, security audits, data encryption, access control, incident response planning, continuous monitoring, employee training, compliance validation, contingency planning, cyber insurance, and risk mitigation. Jeffrey Vinson, Senior Vice President and Chief Cyber and Information Security Officer of Harris Health System, stresses the importance of a robust program with executive buy-in.
Continuous Monitoring: Regularly assessing vendor compliance with cybersecurity requirements is crucial. This can involve periodic security assessments, live data feeds, and other compliance checks. Continuous monitoring helps identify and address vulnerabilities promptly. Chris Logan, Senior Vice President and Chief Security Officer of Censinet, recommends automating corrective action plans and linking them to contracting for efficient risk management.
Access Control: Limiting vendor access to systems and data on a need-to-know basis is critical. Strict access controls, privileged access management, multifactor authentication, and monitoring vendor access are vital. Steven Ramirez, Chief Information Security and Technology Officer of Renown Health, advises controlling access and data upfront by providing minimal access and utilizing de-identified data whenever possible.
In conclusion, a comprehensive approach to managing third-party vendor cybersecurity risks is essential for healthcare organizations. A strong vendor risk management program, led by a dedicated CISO, plays a pivotal role in protecting sensitive patient data and ensuring the overall security posture of the organization. Implementing these strategies, as advocated by leading experts in the field, will significantly reduce the likelihood of security breaches and their associated consequences.
