Managing Third Party Risk – Don’t let someone else’s iceberg sink you

PROBLEM

Many of the entries on the “Wall of Shame” at CMS (the web page that lists mass data breaches) are there not due to their own actions, but those of a third party. Even the smallest healthcare company is likely to send its data out to many business associates, and to offer system access to many other third parties. Either of these options greatly increases the risk to that company. A Business Associate’s data breach rebounds to the responsibility of the Covered Entity, per HIPAA. And most organizations have excellent perimeter controls, but are far more vulnerable to an authenticated user, which means a compromised account of an external user will leave its partners very vulnerable to the same attacker. Managing the risks from both these types of third parties – Business Associates, who receive data, and External Users, who get system access – is essential to securing your own information.

SOLUTION

This is a problem to manage, not a problem to solve. Even more than with most security tasks, managing the risk from third parties involves trade-offs, imperfect knowledge, and risk acceptance. Cooperation from the end users who work with these third parties is essential.

1. Inventory: The first and most essential step is to understand to whom you are sending information, and to whom you are granting system access. Some sources for this inventory are contracts with vendors, help desk tickets, user account actions, interface engines and FTP logs, the list of VPN users, and logs of visitors to the data center. Each of these third parties should have a business owner assigned to it, who will help evaluate what they need and what security options will meet the needs of the business and of security.
2. Identify their methods of access or transmission: The inventory should include the technical mechanisms for how the third party does its work. Data transfer mechanisms such as SFTP, account access methods such as VPNs, and the details of how the third party’s account is managed must all be understood. Any obvious red flags (such as emailing unencrypted Excel spreadsheets) should be fixed in this step.
3. Implement “Minimum Necessary”: It’s very possible that the information or access that was originally given to the third party is excessive. When setting up a third party, the emphasis is usually on “get this done” than “do this right”. The business owner should help determine what’s truly necessary. Be sure to politely challenge him on what’s needed, vs what’s easy or only potentially needed.
4. Perform Due Diligence: Ask the third party how they secure their own infrastructure and data. A leading-edge company will be able to answer crisply and in detail; ideally with an SSAE 16 or other audited statement. Be wary of weasel words, however. Often times the responses you’ll get are impressive-sounding but fall apart under closer examination. Pay particular attention to: how they handle backup media, unencrypted endpoints like laptops and USB drives, and their own third parties – these are all common ways to lose data.
5. Get it in writing: It is one thing to talk a good talk. But the assurances you get in the prior step should be written into the third parties’ contract wherever possible. This often comes down to a duel of lawyers, and the deciding factor is the relative bargaining power of each side. However, written clauses regarding security, even referenced in as “Appendix A”, can provide great clarity around the expectations of each side.
6. Review regularly, and cut off promptly: At least annually, sit down with the business owner of each third party, and review what they still need and how they get access or data. This will not only keep the inventory current, but identify those third parties that need to be cut off. In an ideal world, the business owner would inform IT when a contract ended, but experience has taught otherwise. As soon as a third party no longer needs access or information, terminate the access or transmission, and send notice to them to destroy any info of yours they still have.

IMPACT

No man is an island; and this goes double for healthcare. Every organization must deal with many third parties to serve patients. Securely managing what information they have, and what they do with it, is essential for safeguarding your own organization.