In this chapter, you will learn to
Recognize the importance of managing third-party information risk
Review and apply leading information risk management frameworks for their use in third-party information risk management
Describe third parties in the context of healthcare operations
Consider common administrative tools to control third-party risk
Examine the role of healthcare information privacy and security professionals in managing third-party risk and developing organizational awareness
In the previous chapter, we introduced some considerations related to risk and the technical interconnections between healthcare organizations and third parties. In short, a valid need to exchange information, a secure type of connection, and an encrypted data flow are fundamental concerns. But there are many more concerns related to managing the risk healthcare organizations face because of the business and clinical imperatives that make third-party relationships a reality. No healthcare organization can efficiently provide all administrative (and some clinical) services using just employed staff. It is too expensive. Outsourcing and contractual arrangements with third-party organizations are efficient and effective relationships to provide certain important services. In this chapter, we will explore these concepts a little more in depth. The studies of data breaches, however, continue to indicate that a large proportion of incidents happen because of the actions and inactions of third parties. A controllable, contributing factor is the lack of risk management that the healthcare organization takes.
One of the components of managing third-party risk adequately is organizational awareness. This chapter looks at some ways in which healthcare information security, particularly the risk management activities, can be promoted throughout the organization. Training and awareness are probably the most cost-effective controls an organization can use to reduce the likelihood and severity of data breaches caused by internal threats, such as employee actions. We will review several established methods for building an awareness program.
Managing the Risk of Third-Party Relationships
This section will cover the context behind the purpose and methodology of managing the risk that is inherent in having third-party organizations handle the sensitive health information on behalf of the healthcare organization. The risk management framework for third parties should not differ greatly from what an organization might use internally. We covered the leading risk management tools healthcare organizations use, including HIPAA controls, the NIST Risk Management Framework, and ISO 27001, to name just a few. Any differences in a framework to assess and manage third-party risk will typically reside in what level of access and control the healthcare organization has with the external organization. The framework choice will also depend on the healthcare organization's ability to enforce any changes.
In the United States, healthcare organizations have made complaints about the expectations of HIPAA regulators, such as using a cloud service provider to manage electronic health information–levied requirements on major, multinational corporations such as Microsoft, Amazon, and Google. Those types of organizations attract customers from many different industries ...