Case Study - Efficiently Gauging 3rd Party Security Risks in Health Care

OBJECTIVE

A major challenge for any health provider of significant size is to understand and manage the security risk inherent when working with business partners, vendors and third parties.

CHALLENGE

Our client, a large hospital system was seriously underperforming in its assessment of 3rd Party security risk. As with most large health care entities, it has a massive volume and velocity of data flows of electronic protected health information (ePHI) between care providers, payers, and vendors used to providing services to patients. This, obviously, engenders significant security and privacy risks. While Business Associate Agreements (BAAs) are standard and required, they do not accurately reflect the security posture of an organization. Increasingly Corporate boards are very sensitive to data loss caused by 3rd party inadequacies. The large Target breach of 2017 was directly attributable to poor 3rd party oversight. .

SOLUTION

What is required is to identify the key vendors/partners with whom health providers share information, rank them in terms of importance, and subsequently use a light-weight tool and process that allows for proper due diligence.

People First, we conveyed forcefully to senior leadership the risk to the organization from relying on the security of vendors and partners. Moreover, a 3rd party vendor assessment program effort is viewed as vital by regulatory and supervisory authorities such as the Joint Commission and the Office of Civil Rights which pursues violations of the HIPAA security rule.

Process Next, we developed an inventory of the most critical vendors. Out of several thousand vendors, we identified and vetted with senior leaders, the top 100 vendors who must demonstrate the adequacy of their security program.

Technology It was also critical that we not make our approach for 3rd Party evaluation cumbersome or expensive. This would be detrimental to both the provider and third parties. We addressed this by creating a lightweight tool, answers from which provide a robust perspective of the state of a vendor’s security. The overall time spent by the vendor is likely to be no more than 2 hours. The evaluation of the results by the provider also became far simpler.

OUTCOME

3rd Party assessments are increasingly important to understanding the risk vendors and business partners pose to organization. We delivered a lightweight, robust process to address this key regulatory requirement. For more information, reach out to me. I'd be happy to share our thinking.

Feisal Nanji

A seasoned C-Level Technology Risk expert with over 25 years of experience in developing and executing large information security and product development programs. Feisal brings deep knowledge of regulatory frameworks, technology capabilities and process constraints to consistently deliver quality information risk management programs for large health care institutions. He has served as Interim Chief Security Officer for a 14 Hospital system with over $5 Billion in revenue and conducted multiple security risk assessments for providers of all sizes. At EY he lead a team to review and improve the security of an integrated managed care organization’s electronic medical records (EMR) system with over 8 million members and 3 million health records.