Discussing Third-Party Risk Management in the Healthcare Industry

Healthcare security and how updated HIPAA/HITECH Act regulations are changing the nature of risk in that industry are hot topics right now. "The rules have made it easier for organizations to have penalties levied against them because of the actions of a subcontractor," Elizabeth Warren, a healthcare attorney with Nashville Tennessee-based Bass Berry & Sims, is quoted as saying in this Becker’s Hospital CIO post. And she’s absolutely right.

To get some answers about how healthcare organizations are dealing with the increased risks, we thought it would be a great idea to speak with seven year hospital CSO veteran Eric Cowperthwaite. Cowperthwaite is no stranger to the BitSight Risk Management Blog; he’s posted here previously about Building CISO Relevance Through Metrics.

Here’s what he had to say:

George: Why is third-party vendor risk management so important right now to the healthcare industry?

Eric: There are a number of issues. One is compliance. The reality is that in the new HITECH Act, which extends the Health Insurance Portability and Accountability Act, all business associates have had the full HIPAA security rule extended to and applied to them. The interesting thing here is that healthcare systems first have to figure out who all their business associates are and, number two, how to make sure that they actually meet the full requirements of the security rule.

That's very significant. The other side of it, I think, is that just like any other business, the Target breach really demonstrates how important it is to identify who all your third parties are and then get really good at managing all of the risk associated with them.

George: What were some of the high-level processes that you had in place while at Providence to manage third-party risk? For large organizations like Providence, and with hundreds of third parties, determining the status of their security posture has to be like triage?

Eric: You know, it really was like triage. I think calling it a triage process is a good descriptor of what we did. We had more than 1,500 third parties that interacted with us in some way. Any large company is going to be like that. So, trying to get down to a very detailed level with each one of those thousands of third parties is essentially impossible.

Instead, you need ways to eliminate the low-risk parties. If the third party legitimately didn't have access to any sort of critical assets, from an information security perspective, we could stop right there. That subset, which was probably 40 percent of our third parties, was eliminated just by asking the question: "Do they actually have access to critical data or critical assets of any kind?"

The next step was to determine whether they were a high or a low risk. One tool we used was a really simple questionnaire that asked eight or nine questions that we thought were important. This included things like “Do you have a designated security officer?” “Do you have a corporate security policy?” “Do you install antivirus on your computers?” If they failed on any one of those questions, then we took a much closer look.

It's much like the tools insurance companies use, really. I think there are problems in the way that we traditionally have managed the risk of third parties. Instead of looking for risk indicators that tell them who they should look at because they deviate from the norm, they look for compliance with a perfect set of controls.

And guess what happens when you hand out a questionnaire of 80 questions that says, “Do you do this? Do you do that? Do you do the other thing?” All these vendors have cut-and-paste answers for you, because they've done it a million times.

George: But after you do that questionnaire, the risk posture is going to change. It could be two, three, six months, or even a year later but things will change in the organization that affect risk, right?

Eric: Yes. And so asking them simple recurring questions and then incorporating those answers into the contract gives you an interesting way to look for risk indicators. The basic questions are really just internal indicators whether they have a security program or not. And those are so basic that if you don't have one of them, it's a pretty good likelihood you are dealing with a very high-risk organization.

But this is also where something like BitSight comes in, and why we were really interested in BitSight. Looking at risk data that are publically accessible can be a way to tell you if something has gone wrong. It’s like if your neighbor suddenly stops mowing his lawn. It’s a sign – not proof, but a sign – that something has gone wrong. So if a company is normally not getting a lot of malware infection and there isn't any botnet activity originating from that company, then it probably has decent security. If that changes, and all of a sudden a bunch of command and control activity is coming out of its network, that's kind of a sign that it’s not mowing the lawn, right?

That's why you want to look at risk indicators. It's not just because there's more malware or evidence of malware infection at a company. That doesn't mean that its security program is all of a sudden completely gone. It may be that something is going on that's very short-lived, that's going to go away. But it's a reason to be thoughtful and ask questions, and say: Is there a more significant risk event occurring here, or is it an increased threat now.

# # #

Biography: Eric Cowperthwaite

Eric Cowperthwaite is a veteran security and risk management executive. In his former role, Cowperthwaite was the CSO of Providence Health & Services for more than seven years. Seattle, Washington-based Providence is a healthcare delivery provider with $12.5 billion in revenue, 32 hospitals, and more than 65,000 employees. Currently, Cowperthwaite is the vice president, advanced security and strategy, for predictive security intelligence provider CORE Security.