Featured Product
This Week in Quality Digest Live

More Videos

Risk Management Features
Traceability in Calibration
Master Gage and Tool Co.
Why it matters for accurate measurements
The Ultimate Guide to ISO 14155:2020 for Medical Devices
Jón Bergsteinsson
Understanding the standard is essential
How to Use Mistakes to Improve Quality
Megan Wallin-Kerth
Or, how mistakes factor into a kaizen mindset
My Research Can Help Protect You and Your Company From Hackers
Shaneé Dawkins
Learn how to spot and avoid common phishing tactics
The Return-to-Work Ultimatum Shaking Wall Street
Gleb Tsipursky
Tension between desire for flexibility and perceived need to be visible for career advancement

More Features

Risk Management News
DNV Launches Recommended Practices for Safely Applying Industrial AI
Providing practical interpretation of the EU AI Act
NIST Phish Scale User Guide Now Available
A tool to help detect sinister email
NIST Seeks Collaborators to Support Artificial Intelligence Safety
Developing tools to measure and improve trustworthiness
Engineers Save Time With Simplified Reporting for Nondestructive Testing
Custom apps for use in the field
Honeywell Launches Product Quality Review Automation Application
Streamlines annual regulatory review for life sciences
NIST Cybersecurity Framework 2.0 Expands Scope
Adds increased focus on governance
CIMdata’s PLM Certificate Program Coming to Northern California
Educational offerings available in Santa Clara in December 2023
NIST Standards to Help Eliminate ‘Forever Chemicals’ in Firefighting Foams
References to be made available for measurements
AI Can Speed Car Seat Quality Inspection by More Than 27 Times
Greater accuracy in under 3 seconds of inspection time

More News

Matt Kunkel

Risk Management

How Do Third Parties Impact Business Objectives?

Positive steps toward data security

Published: Wednesday, December 4, 2019 - 12:03

Third-party vendors are increasingly working with their own third parties (fourth and fifth parties), spreading your data across many different vendors. This can make your company an easy target for cybersecurity threats, especially if your organization is a hospital or part of the healthcare system. You have to be aware of the risks associated with third parties. If you aren’t, you’re playing with fire.

Failing to address third-party risk can be costly and often just as damaging as risks that stem from within the organization. Thus, it’s critical that you don’t compromise private data in exchange for the convenience of services provided by third parties. These data are especially important in the healthcare industry because confidential records, clinical information, or medical data could end up in the wrong hands.

Identify your third parties and their risks

According to the annual Ponemon Institute study, “Data Risk in the Third-Party Ecosystem,” companies are increasingly reliant on outside vendors. On average, companies share their confidential information with more than 500 third parties. Of the companies surveyed, 53 percent experienced a third-party data breach in the past two years.

Healthcare companies must understand the role third parties play in an organization and identify what information they have access to (and what they are doing to protect it). There could be thousands of third parties that have access to a larger healthcare organization’s information.

Before you make any drastic organizational changes, figure out which companies have access to your networks, systems, data, and technology. Once you’ve accomplished this, you can assess which fourth, fifth, or sixth parties also have access to this information. Auditing your system may seem like a no-brainer, but the sheer number of organizations that are accessing your systems may surprise you.

Create a third-party risk management plan

Once you’ve completed an inventory of third parties and related risks, you can begin to incorporate third-party risk into your overall risk management plan. Categorizing relationships based on risk level is the first step. Even a system of “high,” “medium,” and “low” risk can be beneficial for resource allocation.

For every third party, risks then need to be scored and tiered so managers can focus on higher-risk relationships. There are innovative tools available for managers to monitor their third-party risk programs by facilitating workflow and tracking data.

Every third party presents unique risks that need to be managed differently over time; therefore, staying consistently aware is key. Many companies successfully evaluate their third-party risk before they engage but drop the ball after the vendor has been a partner for a period of time, and reevaluations of the vendor’s security protocols aren’t performed. Avoiding a detrimental security breach includes actually reviewing the written policies of your third parties and reevaluating them on a continual basis.

Although you might be dependent on third parties to accomplish specific tasks for your company, you can’t depend on them entirely to have your best interests at the forefront. Security is a joint effort, so don’t rely solely on another organization’s due diligence. You must hold yourself accountable as well, and perform ongoing third-party risk assessments accordingly.

Approach third-party relationships cautiously

Modern healthcare providers and facilities are increasingly outsourcing and relying on a wider network of third-party vendors to accomplish daily tasks. While third parties allow companies to quickly and inexpensively scale, this growth can come at an even greater cost.

Cybercriminals today prefer to target larger organizations through third parties. Engaging with a company that will not protect your sensitive data is obviously never a good idea. Do your research and hold these companies to reliable security and compliance standards. Approach new relationships cautiously and provide appropriate oversight. This will allow you to establish a more dynamic and interconnected relationship with your third parties by working with them to tackle any security threats. Focus on your current partnerships, too, as they can quickly deteriorate with poor management or little oversight.

Frequently update your plan

As new third-party relationships form and others change, it’s important to update your plan on a regular basis. Consistently evaluate third-party vendors and map out how they use your organization’s private data. Monitoring third-party risk only during the onboarding stage is not enough; risk should be evaluated throughout the relationship’s entire life cycle.

Preventing breaches can be a difficult task, and inevitably some kind of exposure will likely occur, but consistent improvement and adaptation can lessen the damage. Consider holding an unexpected audit on your third parties to revise your plan and recognize new threats.

When third parties are involved, assessing risk is inherently more complicated, especially in the healthcare field. Third parties can often be crucial for the success of an organization, but using caution and incorporating third-party risk into your overall plan will allow for a more successful security strategy.

Discuss

About The Author

Matt Kunkel’s picture

Matt Kunkel

Matt Kunkel is the co-founder and CEO of LogicGate. Prior to LogicGate, Kunkel spent more than a decade in the management consulting space building technology solutions to operationalize regulatory, risk, and compliance programs for Fortune 100 companies. It was during this time Kunkel learned the skills to realize his true calling: building world-class companies that meaningfully affect the lives of others through user-friendly technology. Given his extensive background in governance, risk, and compliance, Matt regularly speaks and consults on risk and compliance topics.