Twenty security and risk executives from top healthcare provider organizations have joined forces to help less equipped healthcare organizations with their information risk management. This includes combating one of the most pressing healthcare cybersecurity concerns: third-party risk management. Cyberattacks against vendors have risen alarmingly, and many healthcare organizations have been affected as a result. In 2023, the majority of the top ten data breaches were at vendors. Cybercriminals are able to infiltrate numerous healthcare organizations’ networks and data through a single breach of a vendor, which is often due to inadequate security measures.
The HSCC recently conducted a survey that showed healthcare organizations of all sizes are having difficulty managing third-party risks, with small- and medium-sized organizations having the most difficulty due to their limited budgets and resources. The survey indicated that most third-party risk management programs focus on new vendors during onboarding, while existing vendors often fail to be monitored or assessed. Gartner’s data shows that only 23% of security and risk leaders monitor third parties for cybersecurity exposure in real-time. To combat this, a group of security professionals from leading healthcare organizations, such as Amerisource Bergen, Centura Health, CVS, HCA Healthcare, and UPMC created the Health 3rd Party Trust (Health3PT) Initiative.
The Health3PT initiative is striving to create actionable and practical solutions that healthcare organizations can implement to ensure data security, provide consistent program reporting, and gain visibility into third-party relationships. The current methods of managing third-party risk are inadequate, with vendors relying on manual processes and creating blind spots in the risk management process. Additionally, the industry lacks proper follow-through on remediation, continuous monitoring, and assurance programs. Health3PT is looking to develop a set of common practices for healthcare organizations to utilize for risk management, and will provide tools and methodologies for organizations of all sizes. The first deliverable from Health3PT, a benchmark of the current industry, is planned for Q1, 2023. Health3PT is aiming to tackle the growing number of supply chain attacks by introducing a standardized and measurable system for assessing third parties quickly and effectively. This system will become the foundation of third-party risk management programs in the healthcare sector. In addition, Health3PT is forming working groups and coordinating a summit, gathering vendors, stakeholders, and assessor organizations to share and discuss ideas.