IT Forefront

4 questions to pressure test your third-party risk management program

by Andrew Rebhan

Innovation, disruption, and digital transformation will further complicate the already complex cybersecurity landscape in health care. Innovation will require new strategic partnerships with third-parties to deliver new-in-kind interactions and services capabilities. These interactions with new business and patient care partners significantly increase a system's cybersecurity risk profile.

Upcoming webconference: How to negotiate win-win technology contracts

Historically, organizations have approached third-party risk management as a one-time event, occasionally revisited at contract renewal. However, strategic leaders within the enterprise must recognize that third-party risk management is a cycle of conversations, risk assessments, adjustments, and internal discussions—but a thorough program does not have to be overly complicated. Here are four questions to pressure test your existing program and identify areas for improvement.

1. Where and how thoroughly are all your third-party partnerships documented?

An accurate inventory of all third parties is a time-consuming, yet essential, first step. Your inventory should include several items, including:

  • Copies of any contract, addendums, and memorandums of understanding, risk assessments;

  • Critical internal and external contact information for business and security contacts;

  • Your organization's third-party risk classification criteria (level of access, criticality of system, known security shortfalls, etc.);

  • Last contact details and plans for next contact; and

  • Data flows and system touchpoints with third parties.

2. What are your minimum security standards for doing business?

An agreed-upon, non-negotiable minimum set of security standards for partners sets the foundation for security prioritization throughout the relationship. These standards should be based in well-known external security standards (e.g., HITRUST) and outline expectations for certain situations, such as penalties for noncompliance and timelines for adherence, etc. Exceptions should be rare and given only after a careful examination of the risks, benefits, and approval from critical strategic leaders, or even the board.

Realistically, partners may need temporary flexibility to meet your standards. Offer secure interim solutions, such as virtual desktop infrastructure or remote access, until those standards can be met. However, you must make clear that you prioritize security and are willing to walk away if those standards aren't met.

3. How do business relationship owners and the IT/security team communicate about changing security needs and issues?

Internal communication and collaboration is critical to address security issues that arise, new minimum standards, expanding or shrinking scope of partnership, and regular recurring risk assessments. Each third party should have an internal business relationship owner at your organization. Document their name, contact information, and identify a backup.

You should also establish a clear understanding of the role third-party risk management plays for the organization, as well as when and how the security liaison should be engaged. For example, the relationship owner would want to include the security liaison on any conversation regarding an adjustment to the scope of work, contract renewal/renegotiation, or purchased connected hardware or software. Security liaisons should update the business relationship owner of any "red flags" and their implications, and address any issues together before the situation escalates. These conversations should be done on a regular basis and documented in a central location.

4. What is your contingency plan if/when each third-party relationship ends?

Today's startup-friendly and M&A-heavy industry landscape means your working relationships will evolve quickly and often with little fanfare—and some relationships simply won't work out. Work with the business relationship owner of each partnership to establish a contingency plan to replace the third party, if necessary. A full replacement may be necessary for several reasons, including the cessation of business, refusal to conform to security standards, perceived risk that is too high for your organization to carry, etc.

 

Subscribe to IT Forefront

To get more of our top insights, make sure you're subscribed to the "IT Forefront" blog.

Subscribe to IT Forefront

Access the cybersecurity resource library: 5 steps to advance your cyber risk posture

Events of the past few years have magnified the interest, attention, and funding provider organizations must dedicate to cybersecurity resiliency. Most non-IT executive leaders now grasp the full weight and risk of unpreparedness.

Use this resource page to guide you through the following five steps for becoming a cyber resilient organization.

Access Now