Third-Party Risk Management for Healthcare Companies

By October 18, 2019Uncategorized

Risk management is an important part of any healthcare company’s business strategy. In addition to preventing financial loss, a good risk management system will also protect patient data. With the growth of cloud services and the increased outsourcing of administrative tasks in the healthcare sphere, companies have shared large amounts of data with a variety of external companies. It is therefore increasingly important for healthcare companies to implement third-party risk management techniques.

Healthcare companies retain large amounts of protected health information (PHI), which is very sensitive and highly susceptible to hacking attempts [1]. In 2018, the healthcare field had the second largest number of data breaches, according to the Identity Theft Resource Center [2]. While a healthcare company may have robust security practices in place, this could be moot if a third-party with access to patient data and poor security practices is breached.

For example, the well-publicized data breaches at Quest Diagnostics and LabCorp were not a result of direct infiltration. Both of these breaches, which exposed the data of 20 million patients, came from an unauthorized user accessing systems owned by American Medical Collection Agency, a third-party bill collection service [3].

Third-party risk management can also be a matter of compliance. The Health Information Technology for Economic and Clinical Health (HITECH) Act expanded HIPAA to include all of a company’s business associates. For many healthcare organizations, this means that they are responsible for the data given to third-parties vendors [4] [5].

A common strategy used by healthcare companies is to switch from a reactive risk management program to a proactive one. Instead of waiting for a breach to develop and implementing new strategies, organizations instead predict where possible breaches may occur and fix them before they develop into problems. However, a majority of respondents in a recent survey on risk management said that they could not keep track of the risks posed by new technologies [6]. For some organizations, integrated risk management (IRM) platforms are a useful solution in identifying and repairing possible weak points.

Companies can also require that their third-party vendors undergo a standardized certification. A common option is the HITRUST CSF certification, which was developed by an alliance of healthcare institutions. HITRUST CSF (Common Security Framework) takes a risk-based approach to HIPAA compliance and has been designed to comply with state requirements, as well. When the University of Pittsburgh Medical Center found itself unable to individually assess the risks presented by its third-party affiliates, it required them to undergo HITRUST CSF certification [6]. As a result, the organization was able to more effectively manage risk without devoting excessive amounts of time to compliance.

On a broader scale, companies can cultivate a culture of transparency internally. Along with a standardized risk management system and third-party compliance checks, a transparent culture encourages accountability across an organization. This culture of transparency also includes systematizing and standardizing risk management processes and sharing them with all applicable parties.

For healthcare companies, third-parties are an integral part of a complete risk management system. By committing to screening third-party vendors, implementing a proactive certification process, and participating in ongoing monitoring, healthcare organizations can insulate themselves from the risks of third-party data breaches.


[1] Keglovits, Dennis. “Healthcare Organizations Need to Do Better with Third-Party Risk Management.” Healthcare Business & Technology, 3 Sept. 2019,

[2] Lefkowitz, Josh. “The Growing Challenge of Third-Party Risk and Compliance.” Verdict, 2 Oct. 2019,

[3] Friel, Sean. “Third-Party Risk Management: Keeping Your Healthcare Organization’s Information Safe.” Security Magazine, Security Magazine, 24 Sept. 2019,

[4] Hulme, George V. “Discussing Third-Party Risk Management in the Healthcare Industry.” BitSight, 1 May 2014,

[5] Mohsin, Tahshina. “Third-Party Risk Management.” Infosec Resources,

[6] Barker, Ian. “Managing Third-Party Risk Costs the Healthcare Industry over $23 Billion a Year.” BetaNews, 10 July 2019,

[7] Houston, John. “To Ensure Vendor Security: UPMC Turns to the HITRUST CSF Assessment to Help Manage Third-Party Risk.” HITRUST, 2018,