Healthcare information technology security leaders from across the country have shared insights with Becker's regarding the most important steps for hospitals and health systems to take in preventing increased cybersecurity risks when working with third-party vendors.
The five recurring themes from the experts' responses are to prioritize due diligence, specify contractual agreements, establish vendor risk management programs, conduct continuous monitoring and minimize access levels.
Here is a selection of quotes from 18 leaders:
Editor's note: Responses have been lightly edited.
Due diligence
1. Don Kelly. Manager of the Virtual Information Security Program and Virtual Chief Information Security Officer of Fortified Health Security (Franklin, Tenn.): Do your due diligence. By that I mean you truly need to do more than ask them to complete a questionnaire and trust the answers. Have defined expectations then ask the vendor to provide evidence they are meeting those standards. Review the evidence, identify gaps, and work with them to close the gaps.
2. Paul Connelly. Former Chief Security Officer of HCA Healthcare (Nashville, Tenn.): Conduct thorough due diligence before onboarding any vendor. This includes reviewing their cybersecurity policies, procedures, practices and track record. Consider their history of security incidents, how they responded, and their overall cybersecurity posture.
3. Jack Kufahl. Chief Information Security Officer at Michigan Medicine (Ann Arbor): When engaging with a third-party vendor it would be prudent to inquire about how they technologically deliver their services and what their plans for continuity of operations or resiliency expectations are in the face of large digital disruptions. Plan for disruptions before they happen and impact on your institution.
4. Andy Price. Vice President, Chief Information Officer and Chief Information Security Officer of St. Claire HealthCare (Morehead, Ky.): The crucial step for hospitals and health systems to mitigate increasing cybersecurity risks while engaging with third-party vendors is to take immediate action. Many healthcare organizations currently lack a comprehensive approach to third-party risk management, often deferring it to an indefinite future date. Yet, this is precisely where potential security breaches are most likely to occur. Therefore, the foremost priority is to initiate the process.
5. Soma Bhaduri. Chief Information Security Officer of NYC Health + Hospitals (New York City): There should be governance over the procurement process by aligning cybersecurity expectations. It should be embedded in the organization's requests for proposals, contracts verbiage and the incident response process. It’s very important to have due-diligence.
Contracts with security in mind
1. Hassnain Malik. Former Director of Security Compliance of Accolade (Seattle): All contracts with vendors should include detailed provisions related to data security and the handling of sensitive information. Additionally, the contract should clearly outline each party's security expectations and responsibilities, and periodic audits should be performed to ensure ongoing compliance. Draft comprehensive contracts outlining cybersecurity expectations, data protection requirements, and incident response procedures. Ensure vendors are contractually obligated to maintain strong security practices. In the event of a data breach or a reportable incident, they must notify the hospital and the health system. I would add additional language into the contract to say that the vendor will be responsible for all costs associated with the data breach.
2. Hunter Barbour. Chief Information Security Officer of WVU Medicine (Morgantown, W.Va.): There must be security language in your legal contracts that force vendors to comply with a health system's security posture. These security exhibits in contracts should be non-negotiable, as that will encourage healthcare vendors to increase their security posture.
3. Mr. Connelly: Ensure vendor contracts include specific cybersecurity requirements and expectations. Vendors should meet the same cybersecurity and data protection standards as your in-house IT team. The contract should also clearly define ownership and rights with the data, requirements (and timelines) for reporting incidents, and requirements relating to offshoring, use of fourth parties, cyber insurance, compliance reporting, financial responsibilities in the event of security incidents, legal remedies and consequences if the vendor fails to meet cybersecurity obligations, and other topics.
4. Edward Maule. Chief Information Officer and Chief Information Security Officer of Advocare (Marlton, N.J.): While not the most important step, an often overlooked one is ensuring that you have properly transferred risk to your third-party vendors. You need to confirm that their cyber insurance, in conjunction with yours, will be enough to protect your organization in the event that the risk is realized.
5. David Swits. Vice President, Office of the Chief Digital Information Officer and Chief Information Security Officer of MVP Health Care (Schenectady, N.Y.): [Establish] clear and enforceable contractual agreements that specify accountability in the event of an incident with associated actions and penalties in the event of a breach.
Vendor risk management programs
1. Robert Wagner Chief Information Security Officer of CyncHealth (La Vista, Neb.): One of the most crucial steps for hospitals and health systems to take … when collaborating with third-party vendors is the establishment of a robust vendor risk management framework. This framework should serve as a strategic approach to assessing, mitigating, and monitoring the potential cybersecurity threats posed by vendors. Its core elements involve a deep understanding of the vendor's operations, a thorough evaluation of their cybersecurity practices, and clear contractual agreements.
2. Krista Arndt. Chief Information Security Officer of United Musculoskeletal Partners (Atlanta): To effectively prevent third-party risk from affecting an organization, you need to invest resources in building a multifaceted third-party risk management program within your organization. This should include a comprehensive third-party repository where a list of third parties serving the organization is kept, along with a description of what they do, what data they store/process/transfer, what connections or privileges they have to your environment, and a criticality rating to business operations.
3. Jeffrey Vinson. Senior Vice President and Chief Cyber and Information Security Officer of Harris Health System (Bellaire, Texas): One of the most important steps to help mitigate increased cybersecurity risks is having a robust third-party risk assessment program that has teeth, rigor and executive buy-in. These are paramount to hospitals and/or health systems understanding the risk landscape and being able to articulate that risk to the organization's executive leadership. This is especially true when it comes to the supply chain vendors and for vendors that help to provide critical care in clinical operations areas.
4. Mr. Malik: This program should include the following key components: Risk assessment, contractual protections, security audits, data encryption, access control, incident response plan, continuous monitoring, employee training, compliance validation, contingency planning, cyber insurance and [risk mitigation].
5. Patrick Voon. Executive Director of IS Security and Chief Information Security Officer of Loma Linda (Calif.) University Health: If not already in place, establish a third party vendor risk management program that manages the full lifecycle of onboarding through offboarding third party vendors. Obtain senior business leadership to sign-off and support the program and its charter. Identify key stakeholders and participants. Define standard clauses in BAA and Service Agreements that adequately cover security and privacy requirements. Establish a process to evaluate vendors using a standard set of security and privacy requirements before signing a contract with them. Establish a process to annually assess top-tier vendors that have access to PHI or other confidential/sensitive information. Mature the program by automating the workflows using a governance, risk, and compliance platform.
Continuous monitoring
1. Matt Morton. Executive Director and Chief Information Security Officer at the University of Chicago: Security audits and assessments are a crucial component of a comprehensive cybersecurity strategy. They help organizations proactively identify and mitigate any risks and can help ensure compliance with regulations, build trust with vendors, and reduce the risk of security incidents that could have serious consequences for patients and the organization itself.
2. Mr. Connelly: Continuously monitor vendors' compliance with cybersecurity requirements via periodic security assessments, live data feeds, and other types of compliance checks.
3. Mauricio Angée DBA. Associate Vice President and Chief Information Security Officer of the University of Miami: [Implement] ongoing monitoring of connections and data sharing feeds. Healthcare organizations often share information with third-party vendors not only in support of patient care, but also in support of business operations. Healthcare organizations must step up their security practices to ensure third-party vendor connections are monitored 24/7/365 and that any suspicious activity is remediated promptly.
4. Chris Logan. Senior Vice President and Chief Security Officer of Censinet (Boston): Best practices for completing risk assessments efficiently and effectively:
1. Ensure risk visibility across all vendors and products to include supply chain vendors.
2. Segment vendors and products by business impact.
3. Adjust risk profile based on your organization's IT environment.
4. Automate corrective action plans and link to contracting.
5. Manage risk longitudinally across the vendor lifecycle.
6. Drive enterprise-wide collaboration to manage down risk.
7. Engage management on cyber risk posture and progress.
5. Mr. Swits: I believe the most critical component is having a well thought out process for assessing third-party vendors. A regular risk assessment with an associated audit of the vendors' security policies, procedures and practices. The goal being to identify any gaps or vulnerabilities within their enterprise that compromise the relevant standards and regulations. Trust but verify.
Access control
1. Mr. Malik: Limit access to systems and data on a need-to-know basis. Implement strict access controls and monitor vendor access closely. Ask them to provide data flow diagrams, who can access that, and why. I would add language that no one within the vendor workforce should be able to access or use health systems data. Do not use generic username for the technical support of anyone who is accessing the system; [they] must have a unique user ID.
2. Dr. Angée: "In recent cybersecurity incidents reports, the underlying issue has been that vendors don't follow the established protocols, executed memorandum of understanding (MOU), or best practices security protocols, or legal binding contracts. It is important that organizations take a stand to enforce policies and take a stand to disconnect or limit vendors' connections if security issues are not addressed timely.
3. Mr. Wagner: If a vendor consistently falls short in meeting established security benchmarks or is uncooperative in addressing vulnerabilities, the organization must be prepared to terminate the partnership and seek an alternative vendor. This commitment sends a clear message that cybersecurity and patient data protection are non-negotiable priorities.
4. Steven Ramirez. Chief Information Security and Technology Officer of Renown Health (Reno, Nev.): The most important step is to control access and data upfront. Access wise, controlling access to the bare minimum assets needed and utilizing privileged access management and multifactor authentication. Data wise, instead of having open-ended data access or feeds, provide more minimal access, one-time feeds or de-identified data.
5. Adam Hawkins. Executive Vice President of Healthcare and Life Sciences at Cyderes (San Diego, Calif.): Cybersecurity departments cannot stop the progress to cloud, managed services or hosting providers that their hospitals are onboarding to deliver patient care or to improve their operations. The best way to protect your environment is to limit the level of access these vendors have to your critical systems and have the ability to disable it. Some third parties perform mission critical functions and need elevated or super admin access to the hospital's environment, but it should be a requirement that the cybersecurity department has the authority to revoke or reset this access if issues or concerns arise.