TPRM Is In Crisis, But It’s Not Too Late to Change
By Brian Selfridge, healthcare cybersecurity and risk leader, CORL Technologies.
For anyone invested in Third Party Risk Management (TPRM), the last few years have been at once painful and heartening. On the painful side of the ledger, we’ve seen multiple high-profile breaches resulting in stolen patient data, reduced services and loss of trust on the part of many patients.
On the heartening side, these unfortunate incidents have made many healthcare organizations get much more serious about TPRM, treating it as an integral part of day-to-day operations.
That said, we have a long way to go. Spend any time with employees of healthcare organizations and you will hear the same message over and over again: things are better than they were, but TPRM remains fundamentally broken.
With that in mind, it’s worth taking a step back and assessing where we are with TPRM as 2022 draws to a close. What are the lingering pain points? In what areas could we stand to do a better job? Understanding the answers to these questions will help us think ahead to a better, brighter future for TPRM.
Everyone is Struggling to Keep Their Heads Above Water
The number of third-party vendors used by healthcare organizations has exploded in recent years, and this trend shows no signs of slowing down. Each one of these vendors, of course, represents a potential risk to the healthcare organization, and accordingly each one needs to be thoroughly vetted.
Of course, there is only so much time in the day, and fully vetting each third-party vendor using the standard methods takes time and resources––two of the rarest and most precious commodities in the healthcare industry.
This is a problem not just for the healthcare organizations but for the vendors themselves: each day they are flooded with more and more due diligence requests, more and more questionnaires, and because these requests are rarely standardized––i.e., every healthcare organization has its own demands and expectations––properly addressing every single issue can feel impossible.
Add in the fact that many healthcare organizations themselves function as third-party vendors and you have a recipe for an infinite backlog. Compliance concerns are forgotten, unaddressed, or addressed only partially, while critical patient information is left vulnerable. It’s an untenable situation.
TPRM is a Continual Process––But It Rarely Plays Out That Way in Practice
Think, for a moment, of airplane safety. A plane isn’t simply assessed for safety once and then allowed to fly indefinitely. Planes need to be continually probed for potential vulnerabilities and failure-points. No one would dare to fly if they couldn’t be assured that this was a routine part of the process.
TPRM, of course, is no different. Technologies change; threats evolve; businesses adopt new leadership, protocols, and best practices. For a healthcare organization to be truly assured that the third-party vendors they’re working with are safe, they need to assess their vendors continually. Not every day, of course, but often enough to be assured that things are continuing to function smoothly.
Given our previous point, you can start to see the problem here: if healthcare organizations are struggling to complete initial assessments of third-party vendors, how can they possibly be expected to engage in continuous monitoring?
And then there’s the fact that, even when healthcare organizations are properly surfacing risks to their third-party vendors, the third-party vendors don’t always immediately spring into action. Making sure risks are properly remediated means continually following up, and working closely with third-party vendors to get concerns addressed thoroughly. This happens much less often than one would hope.
Fourth-Party Risks Are Severely Under-Discussed
It is, again, a very good thing that healthcare organizations are taking third-party vendor risks more seriously. Unfortunately, we’ve seen little comparable movement when it comes to fourth-party risks.
It’s understandable that fourth-party risks have not been prioritized to this point. Healthcare organizations have limited resources and the highest-risk entities––i.e., third-party vendors––need to be prioritized. But the fact is that a fourth-party breach can be just as destructive to a given organization.
Because healthcare organizations are paying less attention to fourth-party vendors, they have only an incomplete sense of their portfolio; hundreds of vendors are often unassessed. This leads to massive blind spots into risks to patient data and systems across the enterprise. As breaches like Log4j and SolarWinds have demonstrated this is a problem that needs to be dealt with–-and fast.
As the above makes abundantly clear, the current models of TPRM are unsustainable and inadequate when it comes to meeting the evolving threat landscape facing our industry. But this should not be cause for despair. Technological problems inevitably yield technological solutions, and there have been countless exciting developments surrounding cyber-resiliency in recent years. What is needed is the willingness––on the part of third-party vendors, healthcare organizations, and cybersecurity professionals–– to look squarely at the problem and work towards a better, safer future.