Management, compliance & auditing

Third-Party Risk Management

Infosec Institute
October 11, 2016 by
Infosec Institute

Third-party risk management has started to gain much importance, as organizations turn more toward outsourcing to reduce their operating costs and put more emphasis on core competencies. However, in addition to a number of benefits, outsourcing services brings many significant risks. In response to this, regulatory bodies like OCC, OIG, and FFIEC are now stressing the importance of meeting with potential third-party risks. They are requiring organizations to proactively identify potential risks, verify the compliance of business partners and their employees, monitor compliance gaps or new risks arising out of changes, and to investigate and remediate incidents.

According to a report by the global consulting firm Protiviti, third-party risk management programs in healthcare industry are not satisfactory, thus putting data at risk. Healthcare organizations are not ready to face sophisticated cyber-threats of their own, let alone those of third parties. The report also indicated that healthcare ranked lower than other industries in areas such as evaluation of key risk and performance indicators, tracking and communicating incidents, etc.

Why Is Risk Management Important for Healthcare?

Risk management in healthcare is even more important than in other industries. Why? Because, in general, organizations develop risk management processes to avoid and mitigate financial loss. In healthcare however, it’s not only the financial loss but also the patient safety that is important.

Let us consider a healthcare organization that has to develop a risk management strategy. Even when dealing with third-party risk management, it has to first develop a risk management process within its environment and then apply the same arrangement to third parties. A simple step-by-step process will help explain how it can go about it.

  • Employee training and education which explains risk management strategies, risk prevention, and the mitigation process.
  • Documentation of entire risk management process for future reference.
  • Coordination at functional level, i.e., between the departments, to keep everyone on the same page and to avoid any claims of malpractice.
  • Prevention from avoidable risks by the employees.
  • Correction by reacting to unavoidable risks with speed and accuracy.
  • Risk mitigation by prompt response to complaints
  • Incidence response and reporting to reduce potential risks in future.

The risk management process further goes into deep detail, but this is a good place to start from. Regardless of who is in charge of risk management, a healthcare risk management plan should always cover patient safety, potential medical error, mandatory regulations, risk management policy, and the impact of legislation.

Why Is Third Party Risk Management Important?

The first and foremost issue is compliance. In the Health Information Technology for Economic and Clinical Health (HITECH) Act, all healthcare business associates are applicable to comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. However, the real challenge for healthcare system lies in identifying all the business associates and subcontractors and then ensuring that they meet complete requirements of the Security Rule.

For a large company with hundreds of third parties, it is almost impossible to expect to get down to details with each of them. What needs to be done instead is to eliminate low-risk parties, meaning those that do not have access to your critical assets or information.

Third-Party Risk Management Process

An overview of third-party risk management by healthcare organizations may look like this:

  1. Conduct initial risk review based upon the risk tier
    1. Review documentation
    2. Conduct on-site review
    3. Carry business process documentation
    4. Assess Inherent risk/residual risk
    5. Develop remediation plan
  2. Carry out ongoing risk monitoring for changed risks and changes taken place at the third parties.
  3. Conduct periodic reviews based upon the risk tier

Now, let us look in more detail at what risk management means for various third parties.

Business Associates

A business associate is an entity that carries out various activities involving the use of protected health information or provides services to a covered entity.

Healthcare information is more valuable and long-lasting than credit card information and this is why the HIPAA Final Rule comes with strict security and data privacy requirements for business associates. Business associates are often the weak link in the healthcare value chain and are easy targets for attackers. You breach one supplier and you get to access data of multiple companies. Though they may not be familiar with these requirements, when a business associate deals with covered entities in the healthcare system, it falls under the compliance scope. Even though the nature of functioning of business associates and subcontractors may be totally different from that of a healthcare provider, they need to fully comply with the HIPAA Privacy Rule.

The risk assessment process for business associates should help identify vulnerabilities in physical, administrative, and technical safeguards and recommend remediation strategies for improvement. Under the Final Rule, business associates that may have never considered themselves accountable are now finding themselves to be liable for safeguarding protected health information (PHI). Healthcare organizations now need to demand proof from their business associates of what measures they are taking to protect patient data and to mitigate the risks.

Other than asking for a proof of “risk analysis” from business associates, healthcare providers also need to demand proof of other steps being taken to address the risks. This proof can perhaps be a security audit report, a security testing report, etc.

Subcontractors

The Final Rule also talks about subcontractors, who are responsible for creating, receiving, maintaining, or transmitting PHI as a business associate of a business associate itself. Hence, any entity that assists a business associate to code, bill, or collect or stores or transfers healthcare data on behalf of the business associates, is a subcontractor.

Just like the business associates, the Final Rule also holds subcontractors directly liable to comply with the physical, administrative, and technical safeguard requirements, as mentioned in the table below. As for business associates, the subcontractors also hold civil and criminal liability in case of use and disclosure of PHI without permission, failure to provide notification of breach to the covered entity, failure to comply with Security Rule requirements, etc.

Challenges

New construction or renovation at a healthcare facility can result in environmental risks that can put patient health at jeopardy, thus leading to financial loss. Increased competition and advancement in technology is resulting in transformation of healthcare facilities, thus exposing patients to pollution. Other than standard mechanical, electrical and plumbing (MEP) systems, hospitals also require a broad range of systems such as gas lines and extended IT infrastructure. These, among many others, need to be implemented within the space available. In addition to that, neighboring facilities are also of concern because, in healthcare, you have to work on a project that is in or around an occupied building. People within these facilities may have low immunity levels and special care needs to be taken in this regard.

Minimizing Risk

You need to choose subcontractors and suppliers with a smooth cash flow. Insurance programs are also used to help manage risks. These may be owner-controlled or contractor-controlled, depending upon the preference. New units, such as bathrooms, can be built as modular units. This would ensure safety, promote uniformity, speed up schedule, and reduce physical damage.

A summary of three security safeguards for business associates, subcontractors and covered entities under the Security Rule is given below:

Physical

Control physical access to your office and computer systems

  • Facility access controls, such as locks and alarms, to ensure only authorized personnel have access to facilities that house systems and data
  • Workstation security measures, such as cable locks and computer monitor privacy filters, to guard against theft and restrict access to authorized
  • Users of workstations use policies to ensure proper access to and use of workstations

Administrative

Establish standards and specifications for your health information security program that include:

  • Security management processes to identify and analyze risks to ePHI
  • Implementation of security measures to reduce risks
  • Staff training to ensure knowledge of and compliance with policies and procedures
  • Information access management to limit access to ePHI
  • Contingency plan to respond to emergencies or restore lost data

Technical

Include hardware, software and other technology that limits access to ePHI, such as:

  • Access controls to restrict access to ePHI to authorized personnel only
  • Audit controls to monitor activity on systems containing ePHI
  • Integrity controls to prevent improper ePHI alteration or destruction
  • Transmission security measures to protect ePHI when transmitted over an electronic network

Merger

Mergers and acquisitions are often pursued by organizations to develop strategic advantages by uniting workforces, intellectual property, and technology. Organizations mostly look into risk factors associated with the financial or legal matters of the merger but many times they fail to focus on the aftermath of integrating cyber-security technologies and policies of two separate organizations.

Just as in any other industry, a high pressure to reduce costs results in a significant increase in the trend of mergers in the healthcare industry. This presents major challenges that need to be addressed before and after consolidation of organizational culture, goals and strategic objectives.

Preparing for the Change

Senior management plays a bigger part in identifying and tackling major risks in case of merger:

  • Define and clarify a shared vision of both management teams.
  • Identify the employees and the operations that may be disrupted as a result of change; make short-term and long-term plans to support the key employees of the workforce.
  • Develop an action plan for integrating the cultures of both organizations in priority areas.
  • Provide customer support and train employees before the merger to prepare them.
  • Track progress and mitigate ongoing risks.
Infosec Institute
Infosec Institute

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training.