CSA Issues Guidance on Third-Party Risk Management in Healthcare

July 21, 2022 - Drafted by the Health Information Management Working Group, the Cloud Security Alliance (CSA) released new guidance on third-party risk management in healthcare.

Threat actors are increasingly using third-party business associates as easier entry points into customer networks. Once inside the network, the malicious hackers may be able to access sensitive health data, encrypt files, and deploy ransomware on organizations that the associate does business with.

For example, in July 2021, REvil threat actors launched a ransomware attack against IT management software company Kaseya and compromised the data of over 1,500 of its customers.

“Healthcare organizations are struggling to identify, protect, detect, respond, and recover from third-party or vendor-related data breaches, vulnerabilities and threat events. However, current approaches to assessing and managing vendor risks are failing,” the CSA report stated.

“The failure of current approaches to third-party risk management creates a real economic impact. Organizations encounter increasing Health and Human Services (HHS) and Office For Civil Rights (OCR) fines and investigations.”

CSA presented three potential reasons why third-party risk management programs may fail in the healthcare sector. First, the lack of automation and the sector’s reliance on manual risk management processes make it difficult to keep up with advancing cyber threats, CSA suggested.

Second, vendor risk assessments are costly and time-consuming, making it difficult to conduct thorough risk assessments for all vendors. Finally, CSA suggested that many critical vendor management controls are often only partially deployed or not deployed at all.

As healthcare organizations continue to increase the number of third-party vendors they work with, it is becoming equally important to maintain strong vendor risk management programs.

CSA pointed to the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a good way to monitor, measure, and track third-party risk.

“The framework is a risk-based approach to managing cybersecurity risk. Framework measurement provides a basis for a strong, trusted relationship. While the framework is primarily for cybersecurity, it can help provide information for measuring other forms of risk,” the report noted.

NIST’s framework core is broken down into five essential functions: identify, protect, detect, respond, and recover. CSA suggested that organizations follow the functions in relation to third-party risk management. For example, the “identify” phase would involve identifying and prioritizing third-party vendors, risk-ranking those vendors, and understanding what data is shared with each vendor.

Next, organizations should focus on the “protect” phase by implementing various safeguards to protect critical services. Healthcare organizations may want to consider implementing security questionnaires and risk treatment plans as a part of this function.

For success in the “detect” phase, healthcare organizations should consider implementing continuous monitoring controls to detect security events as they happen. In the “response” phase, CSA suggested that organizations develop processes for responding to and containing an incident while mitigating any damage. The “recover” function involves implementing activities to maintain resilience and restore any disrupted services.

CSA also suggested that organizations leverage automation and cloud computing technologies (while consider the unique security risks of those technologies) to make third-party risk management more efficient.

“The use of third-party vendors results in an expanded attack surface as attackers can breach the vendor and either extract data from them or use the vendor to gain access to the [healthcare organization’s] systems. Failing to assess risks and implement effective monitoring controls appropriately can be costly in terms of both potential penalties and reputation,” Michael Roza, a contributor to the guidance, explained in an accompanying press release.

“The increased use of third-party vendors for applications and data processing services in healthcare is likely to continue, especially as [healthcare organizations] find it necessary to focus limited resources on core organizational objectives and contract out support services, making an effective third-party risk management program essential.”