Featured Product
This Week in Quality Digest Live
Risk Management Features
Master Gage and Tool Co.
Why it matters for accurate measurements
Jón Bergsteinsson
Understanding the standard is essential
Megan Wallin-Kerth
Or, how mistakes factor into a kaizen mindset
Shaneé Dawkins
Learn how to spot and avoid common phishing tactics
Gleb Tsipursky
Tension between desire for flexibility and perceived need to be visible for career advancement

More Features

Risk Management News
Providing practical interpretation of the EU AI Act
A tool to help detect sinister email
Developing tools to measure and improve trustworthiness
Streamlines annual regulatory review for life sciences
Adds increased focus on governance
Educational offerings available in Santa Clara in December 2023
Greater accuracy in under 3 seconds of inspection time

More News

Matt Kunkel

Risk Management

How Do Third Parties Impact Business Objectives?

Positive steps toward data security

Published: Wednesday, December 4, 2019 - 12:03

Third-party vendors are increasingly working with their own third parties (fourth and fifth parties), spreading your data across many different vendors. This can make your company an easy target for cybersecurity threats, especially if your organization is a hospital or part of the healthcare system. You have to be aware of the risks associated with third parties. If you aren’t, you’re playing with fire.

Failing to address third-party risk can be costly and often just as damaging as risks that stem from within the organization. Thus, it’s critical that you don’t compromise private data in exchange for the convenience of services provided by third parties. These data are especially important in the healthcare industry because confidential records, clinical information, or medical data could end up in the wrong hands.

Identify your third parties and their risks

According to the annual Ponemon Institute study, “Data Risk in the Third-Party Ecosystem,” companies are increasingly reliant on outside vendors. On average, companies share their confidential information with more than 500 third parties. Of the companies surveyed, 53 percent experienced a third-party data breach in the past two years.

Healthcare companies must understand the role third parties play in an organization and identify what information they have access to (and what they are doing to protect it). There could be thousands of third parties that have access to a larger healthcare organization’s information.

Before you make any drastic organizational changes, figure out which companies have access to your networks, systems, data, and technology. Once you’ve accomplished this, you can assess which fourth, fifth, or sixth parties also have access to this information. Auditing your system may seem like a no-brainer, but the sheer number of organizations that are accessing your systems may surprise you.

Create a third-party risk management plan

Once you’ve completed an inventory of third parties and related risks, you can begin to incorporate third-party risk into your overall risk management plan. Categorizing relationships based on risk level is the first step. Even a system of “high,” “medium,” and “low” risk can be beneficial for resource allocation.

For every third party, risks then need to be scored and tiered so managers can focus on higher-risk relationships. There are innovative tools available for managers to monitor their third-party risk programs by facilitating workflow and tracking data.

Every third party presents unique risks that need to be managed differently over time; therefore, staying consistently aware is key. Many companies successfully evaluate their third-party risk before they engage but drop the ball after the vendor has been a partner for a period of time, and reevaluations of the vendor’s security protocols aren’t performed. Avoiding a detrimental security breach includes actually reviewing the written policies of your third parties and reevaluating them on a continual basis.

Although you might be dependent on third parties to accomplish specific tasks for your company, you can’t depend on them entirely to have your best interests at the forefront. Security is a joint effort, so don’t rely solely on another organization’s due diligence. You must hold yourself accountable as well, and perform ongoing third-party risk assessments accordingly.

Approach third-party relationships cautiously

Modern healthcare providers and facilities are increasingly outsourcing and relying on a wider network of third-party vendors to accomplish daily tasks. While third parties allow companies to quickly and inexpensively scale, this growth can come at an even greater cost.

Cybercriminals today prefer to target larger organizations through third parties. Engaging with a company that will not protect your sensitive data is obviously never a good idea. Do your research and hold these companies to reliable security and compliance standards. Approach new relationships cautiously and provide appropriate oversight. This will allow you to establish a more dynamic and interconnected relationship with your third parties by working with them to tackle any security threats. Focus on your current partnerships, too, as they can quickly deteriorate with poor management or little oversight.

Frequently update your plan

As new third-party relationships form and others change, it’s important to update your plan on a regular basis. Consistently evaluate third-party vendors and map out how they use your organization’s private data. Monitoring third-party risk only during the onboarding stage is not enough; risk should be evaluated throughout the relationship’s entire life cycle.

Preventing breaches can be a difficult task, and inevitably some kind of exposure will likely occur, but consistent improvement and adaptation can lessen the damage. Consider holding an unexpected audit on your third parties to revise your plan and recognize new threats.

When third parties are involved, assessing risk is inherently more complicated, especially in the healthcare field. Third parties can often be crucial for the success of an organization, but using caution and incorporating third-party risk into your overall plan will allow for a more successful security strategy.


About The Author

Matt Kunkel’s picture

Matt Kunkel

Matt Kunkel is the co-founder and CEO of LogicGate. Prior to LogicGate, Kunkel spent more than a decade in the management consulting space building technology solutions to operationalize regulatory, risk, and compliance programs for Fortune 100 companies. It was during this time Kunkel learned the skills to realize his true calling: building world-class companies that meaningfully affect the lives of others through user-friendly technology. Given his extensive background in governance, risk, and compliance, Matt regularly speaks and consults on risk and compliance topics.