Look to these best practices to enhance your organization’s vendor risk management program
Vendor partnerships are critically important in today’s business world, especially as the pandemic accelerated many organizations’ digital transformation and the shift to remote operations, cloud adoption, and virtual services, such as those through telehealth, medical apps, and other healthcare technology and communication platforms continues to expand. This increased reliance on third parties also comes with a price: added exposure to cyber risks and vulnerabilities.
While the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is exercising its enforcement discretion to not impose penalties for noncompliance with HIPAA and the HITECH Act as it relates to “good faith” implementations of remote technologies used to provide telehealth. That is not to say that such regulations are not important to customer data and the organization’s reputation, as well as future enforcement by OCR and HHS.
One thing’s for certain: Healthcare data breaches continue to rise in 2022. Healthcare providers so far this year, have reported 96 breaches affecting 31.6 million individuals within the past 12 months compared to 39 breaches affecting 10.3 million in the 12 months prior. Some notable breaches this year have involved third parties.
Recently North Broward Hospital District (Broward Health) notified OCR of a breach affecting 1.3 million individuals. According to the January 2022 notification, an intruder gained access to the Broward Health system through a third party. Data about patients and staff, including names, birthdates, financial information, social security, treatment and diagnosis records, and other sensitive information was exposed.
More recently, Shields Healthcare Group, an MRI, PET/CT, and ambulatory surgical services provider disclosed in May 2022, that patient data had been compromised including that of their 50 partner facilities (and potentially their partners), resulting in 2 million individuals exposed.
Mitigating ‘Nth party risk’
Increased exposure via vendors is called “Nth party risk,” or the idea that a breach to your organization can come through a vendor’s vendor or even a vendor’s vendor’s vendor. Breaches involving third parties cost up to $700,000 more on average. Yet experts warn that nearly three-quarters of organizations still aren’t demanding their vendors implement proper information security practices.
Enhancing your vendor risk management
Organizations should take a holistic approach to champion information security across their business and vendor network.
To start, designate a team (that includes members of executive management and IT professionals from within) to develop a program to both manage business associates and vendor relationships to mitigate the associated risks, as well as evaluate the organization’s environmental, social, and governance (ESG) impact – and consider engaging an experienced and knowledgeable risk advisory firm to assist with these efforts and help identify any gaps.
Consumers are becoming more socially conscious, and ESG-related regulations are on the rise. Those organizations that do not comply may fall behind. ESG is not only about climate change and labor standards. It is also about company practices, community relations and customer satisfaction, as well as executive and board composition. Cybersecurity plays an important role within the social pillar of ESG frameworks and how the organization operates and manages the data it has been entrusted with. This includes managing those cyber risks brought on by engaging with vendors. For these reasons and more, it is critical that an organization implements an appropriate vendor management program that includes cybersecurity.
Below are six practices that can enhance your vendor management program and help you mitigate third-party cyber risk.
1. Establish risk appetite and tolerance across the entire organization.
Each organization has its own approach when it comes to risk. However, every organization needs to determine its risk appetite and risk tolerance to serve as a guide for the vendor management program. Specifically, leadership needs to decide which types of risks and the amount of risk the organization is willing to accept in conducting business.
– Risk appetite is the overall risk or loss exposure the organization is willing to accept or bear in pursuit of its business objectives.
– Risk tolerance is the specific level of risk that an organization can accept or bear with regard to an individual project.
It’s possible that your organization has a low-risk appetite overall but a higher risk tolerance when it comes to a specific area – or vice versa.
2. Assess business associates and vendor risk.
Each business associate or vendor opens your organization to potential risk — and that risk increases as their access increases — so, do your due diligence. Determine how critical the vendor is to the success of your business and what potential risks they could pose to not only your operations but to your reputation. During your due diligence, the organization should also review the vendor’s environmental and social impact, as that may in turn affect the organization.
Request a system and organization controls (SOC) report from the vendor. For evaluating cybersecurity-related controls, you should specifically ask for a SOC 2 report that may include an assessment of compliance with HIPAA. The report will include an independent auditor’s opinion on whether cybersecurity controls in place are designed, implemented as of a period in time (Type 1), and operating effectively for a period of time, such as a 6- or 12-month period (Type 2). It’s important that all vendors who manage your client’s data have controls in place to mitigate risks from relevant threats and vulnerabilities to the business.
A qualified risk advisory consultant can perform a comprehensive risk assessment to help you identify vendor-related vulnerabilities, rank each vendor’s risk based on factors such as access to critical data and operational activities, and assist with developing corrective actions to remediate identified control issues or gaps.
3. Establish a universal risk rating methodology.
A business associate or vendor risk rating system will help you allocate resources to focus on higher-risk organizations. Following the same methodology for the organization’s various risk assessments, including IT, cybersecurity, and enterprise risk assessments, would add uniformity and standardization across the organization and help leadership bring together all risks and identify any areas of risk that are greater than the organization’s risk tolerance.
For example, if you choose three levels (e.g., high-moderate-low), utilize them throughout all risk assessments. Also, consider using an existing and recognized framework to help you identify and manage risks. Depending on the type of risk assessment, a different framework may suffice.
As part of this exercise, you will establish a consistent risk rating system and implement an appropriate risk management methodology across the organization.
4. Create boundaries with vendors.
Set your business up for success by creating boundaries — or a minimum set of requirements for cybersecurity — with your vendors. The most basic may be requiring vendors to have their own information security program, but it’s also a good idea to clarify the boundaries between your vendor and their vendors or clients.
A recent example of the importance of vendor boundaries is the Volkswagen Group of America breach announced in June 2021 that disclosed that one of their vendors had exposed the data of more than 3.3 million of their customers. One of the primary lessons learned so far from the ongoing investigation is that providing vendors with unlimited access to your network can have devastating consequences.
While sometimes this situation is difficult to avoid, there are ways to protect your customers by setting boundaries for your vendors to help mitigate the risk that your vendors will compromise your organization’s ability to maintain a secure environment:
– Segregate your vendors from the network
– Have a redundant system working in parallel
– Use an unrelated third party to actively monitor for anomalies
– Define vendor responsibilities for responding and recovering from incidents prior to engaging with them
Privacy, security and breach notification requirements for healthcare organizations require a business associate agreement with vendors who are sharing protected health information (PHI).
5. Develop an enterprise-wide vendor management program.
The vendor management program should also include other criteria such as:
– A formal vendor selection process
– Contract requirements: data breach notification requirements, termination clauses, confidentiality, minimum information security requirements and cybersecurity requirements, defined roles and responsibilities, monitoring/right to audit
– Due diligence: financial review, business continuity planning/disaster recovery planning, incident response procedures, HIPAA compliance review, information security program, SOC review, OFAC review, site visit, performance and privacy program review according to their risk rating
– Ongoing risk-based monitoring
– Vendor termination procedures and follow-up
6. Stay up-to-date.
Vendor management isn’t a task to check off a list. It’s critical to review and update your program annually. Pay special attention to material changes such as managerial changes within your organization or new technology that’s been onboarded that may require further action confirm alignment with the organization’s risk and governance policies.
When not managed properly, vendor risk can lead to financial loss, reputation damage, lost business, and regulatory penalties. However, cyber risks and other third-party-related risks can be mitigated by developing, implementing, and maintaining a strong and sound vendor risk management program.
About Daniel Rosenberg
Daniel Rosenberg is a manager in Kaufman Rossin’s Risk Advisory Services practice, where he performs cybersecurity and compliance services.
About Nathalie Feria
Nathalie Feria is a manager in Kaufman Rossin’s Risk Advisory Services practice, where she works with clients on information security and investigative engagements related to money laundering, due diligence, and internal corporate compliance.