Cloud Security Alliance Releases Guidance on Third-Party Vendor Risk Management in Healthcare

SEATTLE--(BUSINESS WIRE)--The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today released Third-Party Vendor Risk Management in Healthcare. Drafted by the Health Information Management Working Group, the report provides an overview of the third-party vendor security risks for Healthcare Delivery Organizations (HDOs), addresses why third-party risks are more prevalent in the healthcare industry, and offers guidance around how HDOs can identify, assess, and mitigate third-party vendor risks now and in the future.

The document shares examples, use cases, and risk management program tools for how third-party vendors can be effectively utilized throughout the healthcare industry. It also outlines the different types of risk posed by third-parties including cybersecurity, reputational, compliance, privacy, operational, strategic, and financial.

“Healthcare Delivery Organizations entrust the protection of their sensitive data, reputation, finances, and more to third-party vendors. Given the importance of this critical, sensitive data, combined with regulatory and compliance requirements, it is crucial to identify, assess, and reduce third-party cyber risks. These risks are even more prevalent in the healthcare industry due to the lack of automation and the proliferation of digital applications and medical devices used, time-consuming and costly vendor risk assessment procedures, and the lack of fully deployed critical vendor management controls. This paper offers a summary of third-party vendor risks in healthcare as well as suggested identification, detection, response, and mitigation strategies,” said Dr. James Angle, the paper’s lead author and co-chair of the Health Information Management Working Group.

“The use of third-party vendors results in an expanded attack surface as attackers can breach the vendor and either extract data from them or use the vendor to gain access to the HDOs systems. Failing to assess risks and implement effective monitoring controls appropriately can be costly in terms of both potential penalties and reputation. The increased use of third-party vendors for applications and data processing services in healthcare is likely to continue, especially as HDOs find it necessary to focus limited resources on core organizational objectives and contract out support services, making an effective third-party risk management program essential,” said Michael Roza, a contributor to the paper.

The CSA Health Information Management Working Group aims to provide a direct influence on how health information service providers deliver secure cloud solutions (services, transport, applications, and storage) to their clients, and to foster cloud awareness within all aspects of healthcare and related industries. Individuals interested in becoming involved in Health Information Management future research and initiatives are invited to join the working group.

Download the full report.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.