Assessing the risk of third-party vendors has been a growing problem for compliance management. Because of the growing number of data breaches related to third-parties, regulators have been focusing on the inherent risks of outsourcing. Within the financial services industry, this has long been accomplished via a SAS70 (now SSAE16) type audit.
Within the U.S. healthcare industry, the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted in early 2009, put enforcement teeth behind vendor breaches of medical records. Among other requirements, it essentially extended the liability of Covered Entities under HIPAA to their Service Providers. This created a flurry of activity as covered entities struggle to find ways to manage and assess the risk of hundreds or even thousands of vendors.
This month a milestone was reached, as the Department of Health and Human Services (HHS) took the first enforcement action for a breach under HiTECH. As part of the enforcement, BlueCross BlueShield of Tennessee, Inc., agreed to pay $1.5 million in fines as a result of the theft of 57 unencrypted hard drives taken from a data closet in a Chattanooga facility that was no longer in use by the company.
This is likely to be only the beginning. Since 2010, reports to the HHS breach reporting site has averaged about 17 breaches per month, with over 500 reported so far.
Managing Third Party Risk with Information Security Policies
Written information security policies are an essential part of managing risks related to third-parties. (The requirement for written policies is clearly spelled out within the HIPAA Security Rule.) There are several key areas to consider when developing information security policy documents for vendors:
1. Vendor Approval and Establishment – The first step is to properly assess the risks of outsourcing to any third party vendors. (This is broadly covered in ISO 6.2.1 Identification of risks related to external parties.)
2. Contract Management – All contracts with third-party vendors must include information security requirements. (This topic is covered in ISO 27002 section 6.2.3 Addressing security in third party agreements.) The types of security controls may depend heavily on the type of vendor and type if information being accessed by the vendor. For example, Information Security Policies Made Easy has over 25 different controls related to vendor contract management.
3. Ongoing Monitoring – Once established, third-party vendors must be monitored for ongoing compliance, including any major changes to their business that may impact their performance. (ISO 27002: 10.2.2 Monitoring and review of third party services) For example, HiTECH requires that Services Providers who experience a breach must notify the Covered Entities that they serve.
4. Contract Termination – This final phase of a vendor relationship is often overlooked. Once a relationship is terminated, all access points between the vendor and the organization must be removed. This includes removal of third-party user accounts. In some cases, this is as basic as leaving confidential information behind on the vendor premises, as happened in the BlueCross incident.
In summary, organizations must consider the relationship with third-party vendors as a complete life-cycle. Poor security controls during any phase of the relationship can expose the organizations to unnecessary risks.