Cloud Security Alliance Releases Third-Party Vendor Risk Management Guidance for Healthcare Facilities


Cyber ​​actors are increasingly targeting business associates of HIPAA-covered entities because they provide an easy way to access the networks of multiple healthcare organizations. To help healthcare delivery organizations (HDOs) deal with the threat, the Cloud Security Alliance (CSA) has released new tips on the management of risks related to third-party providers in the healthcare sector. The guidelines were written by the Health Information Management Working Group and include examples and use cases and provide information on some of the risk management program tools that can be used by HDO for risk management.

Third-party vendors provide invaluable services to HDOs, including services that cannot be effectively managed in-house; however, the use of vendors introduces cybersecurity, reputation, compliance, privacy, operational, strategic, and financial risks that must be managed and mitigated. The guidance is intended to help HDOs identify, assess, and mitigate the risks associated with using third-party vendors to prevent and mitigate the severity of security incidents and data breaches.

Cyberattacks against providers serving the healthcare sector have increased in recent years. Rather than attacking an HDO directly, a cyber actor may attack a provider to gain access to sensitive data or to abuse the privileged access the provider has to an HDO’s network. For example, a successful breach at a managed service provider allows an attacker to gain access to the networks of all of the company’s customers by abusing the MSP’s privileged access to customer systems. This is advantageous for a hacker because it means that there is no need to hack each MSP customer’s networks individually.

When third-party vendors are used, the attack surface is greatly increased, and managing and mitigating risk can be a challenge. While third-party vendors are used across all industry sectors, security risks from third-party vendors are most prevalent in healthcare. The ASC suggests this is due to lack of automation, heavy use of digital applications and medical devices, and lack of critical management controls from fully deployed vendors. Because healthcare organizations tend to use a large number of vendors, performing comprehensive and accurate risk assessments for all vendors and implementing critical vendor management controls can be a very time-consuming and time-consuming process. expensive.

3 Steps to HIPAA Compliance

Please check the HIPAA log
privacy policy

  • Step 1: Download the checklist.
  • Step 2: Review your business.
  • Step 3: Get in compliance!

The HIPAA Journal Compliance Checklist provides the top priorities for your organization to become fully HIPAA compliant.

“Healthcare delivery organizations entrust the protection of their sensitive data, reputation, finances, etc., to third-party vendors. Given the importance of this critical and sensitive data, combined with regulatory and compliance requirements, it is crucial to identify, assess and mitigate cyber risks from third parties,” said Dr. James Angle, author principal of the article and co-chair of the Health Information Management Task Force. “This document provides a summary of third-party healthcare vendor risks along with suggested identification, detection, response, and mitigation strategies.”

If an HDO chooses to use a third-party vendor, it is essential that effective monitoring controls are implemented, but it is clear from the number of third-party or vendor-related data breaches that many healthcare organizations have struggle to identify, protect, detect, respond to, and recover from these incidents, suggesting that current approaches to vendor risk assessment and management are failing. These failures can have a major financial impact, not only in terms of the costs of mitigating violations, but HDOs also face the risk of regulatory fines from the HHS Civil Rights Office and state attorneys general. damage to reputation.

CSA makes several suggestions in the document, including adopting NIST’s cybersecurity framework to monitor, measure, and track third-party risks. The NIST framework is primarily concerned with cybersecurity, but the same principles can also be applied to measure other types of risk. The main functions of the framework are identification, protection, detection, response and recovery. Using the framework, HDOs can identify risks, understand what data is being provided to each, prioritize vendors based on level of risk, implement safeguards to protect critical services, ensure monitoring are implemented to detect security incidents and that a plan is developed to respond to and mitigate any security breaches.

“The increased use of third-party vendors for healthcare data processing applications and services is likely to continue, especially as HDOs find it necessary to focus limited resources on core organizational goals and to outsource support services, which enables effective risk management of third-party essential program,” said Michael Roza, a contributor to the newspaper.


About Author

Comments are closed.