Many organizations rely on third parties, including vendors, partners, suppliers, and contractors, to keep their operations up and running. Often, third parties are granted access to an organization’s critical systems, networks, and sensitive data, putting the organization at risk of a cyberattack or data breach originating with the third party. Any vulnerability or gap in the cybersecurity of the third party can provide an opening for a threat actor to access an organization’s digital assets and networks. 

Healthcare organizations are particularly vulnerable to the risk posed by third parties because they handle and process large volumes of protected health information (PHI), including Social Security numbers, birthdates, medical histories, and financial information. According to Black Kite’s Annual Third-Party Breach Report 2024, the healthcare sector was the most common victim of third-party data breaches, making up one-third of all incidents in 2023. And recently another major health data breach involving third-party services firms made headlines. As a result, assessing third-party risk is of utmost importance to healthcare organizations to properly safeguard PHI and any other sensitive data. Healthcare organizations need to know when to address cyber risk with third parties and how to evaluate the strength of a third party’s risk management.

When to address third-party risk

Cybersecurity threats are a concern for every healthcare organization, large and small, and every third party that healthcare organizations do business with. Third-party risk is a serious consideration for any new business relationship, so when beginning a business engagement, your organization should promptly address the cyber risk of the third party.

“The best time to ensure a vendor meets security and compliance requirements is prior to purchase by reviewing the vendor’s processes and controls available and alignment with the practice expectations and needs,” said Dustin Hutchison, Chief Information Security Officer and Vice President of Services at Pondurance. He insists that healthcare organizations of any size should focus on ensuring that required security controls are in place by having a conversation with the vendor before purchase and including those requirements in the contract agreement. That way, your organization can select third parties that pose less risk or can mitigate the risk before doing business with that third party.

In addition, a healthcare organization should perform ongoing, periodic risk assessments as the business relationship continues and following any significant change to the organization’s network.

How to evaluate a third party’s cyber risk

Organizations in the healthcare sector work, on average, with 15.5 third-party vendors, according to a 2023 Close Encounters of the Third (and Fourth) Party Kind study. The study also reported that 98.3% of all organizations, healthcare and otherwise, have a relationship with at least one third party that suffered a data breach in the last two years. So how does a healthcare organization evaluate which third parties are safe to do business with? A vendor risk assessment is required. 

A vendor risk assessment is a process that evaluates the risks —operational, financial, compliance, security, and reputational — posed to your healthcare organization by third parties. 

Organizations often perform vendor risk assessments using questionnaires to evaluate a third party’s cyber processes and policies related to those risks. Your organization needs to ask important questions such as: Does the third party use a cybersecurity framework (CSF) such as NIST CSF? Has the third party ever experienced a data breach? Is the third party fully compliant with statutory regulations such as HIPAA? Has the third party ever paid fines or penalties for noncompliance with regulations? Getting accurate and appropriate answers to these questions and others is important to the process.

“Healthcare organizations should have higher expectations of their vendors and third-party providers, especially when patient data is in scope,” Dustin said. “The leadership of the organizations purchasing and using third-party solutions must support a robust vendor risk management program and understand that not all risk can be transferred to a third party, especially considering reputation damage and the loss of customer confidence.” 

Dustin believes that managed detection and response providers, like Pondurance, should use a risk-based approach to cybersecurity to keep healthcare organizations safe from cyberattacks and data breaches. A risk-based approach focuses on an organization’s unique cyber risks and considers what an organization wants to accomplish and what it needs to protect. Once a risk assessment identifies an organization’s cyber risks, the organization prioritizes those risks to protect the data and assets that matter most to the organization.

“Organizations are going to have different requirements, but establishing a strong program baseline for all of their third parties should be the norm,” Dustin said. “Being able to demonstrate an aggressive vulnerability management program with appropriate access controls, auditing, and proactive detection and response goes a long way.”

Conclusion

Healthcare organizations rely on third parties to keep their operations up and running, yet any vulnerability or gap in the cybersecurity of the third party can provide an opening for a threat actor to execute a cyberattack or data breach. That’s why assessing third-party risk is critical to keeping the healthcare sector safe from threats. Watch Dustin’s recent webinar Risk-Based Approach to Cybersecurity and Compliance to learn more.