Health3PT initiative takes aim at hospitals’ third-party risk

A hospital often brings in suppliers: maybe a pharmacy service that handles electronic medical records, or a CT-scanning technology to inspect a broken bone. But ransomware actors target third-party imaging vendors and electronic medical records systems—meaning any third-party risk can become a first-party risk, which is no party at all.

Healthcare CISOs and industry leaders have formed the Health3PT initiative, which aims to collect best practices to address security responsibilities along the supply chain. An agreed-upon framework, its members hope, will support buyers, suppliers, and security professionals as the line blurs between a hospital environment and their partners’ environments.

“You can’t help but care about what those risks are that your partners could potentially introduce. Their hygiene is now your hygiene,” said Omar Sangurima, principal technical program manager at the Memorial Sloan Kettering Cancer Center.

Sangurima is one of many industry leaders who will be on a number of Zoom calls this year, to determine the Health3PT guidelines for third-party suppliers. The best practices will largely be pulled from the HITRUST Common Security Framework (CSF), a set of risk controls that include practices like management responsibilities, segregation in networks, and user-access rights.

Health3PT plans to publish its “research on third-party risk metrics” in the first quarter of 2023.

WannaCollaborate? When WannaCry ransomware hit hospitals in 2017, the attack froze a range of Windows-based technologies, from workstations all the way down to unpatched, connected MRI devices.

A new hospital product may lead to questions of responsibility, ones that the initiative aims to help with. For example: Who, exactly, is responsible for updating the operating system?

“It’s that meme of Spider Man: everybody’s pointing at each other, expecting somebody else to solve the problem. That’s the genesis of this council. It bring these groups together: the hospital delivery organization (HDOs), medical device manufacturer (MDMs), anybody that’s providing services within a healthcare context, and getting some consistency, some commonality around what is most important from a security perspective,” said Matthew Webb, a Health3PT member and former CISO at HCA Healthcare UK.

The council takes a similar approach to the PCI DSS (Payment Card Industry Data Security Standard), said Sangurima, which ultimately united major vendors like Visa, Mastercard, and Discover.

Health3PT brings bigger players in the healthcare space to say: These are the requirements if you want to be a third-party supplier to a hospital.

“It’s using that influence collectively, to push the rest of the market forward in terms of basic cybersecurity necessities that we need in this space,” Sangurima told IT Brew.

Participants include executives from 20 healthcare providers, including large hospital systems like Memorial and HCA, which may be helpful influences on smaller facilities like Signature Healthcare in Brockton, MA, which has about 150 physicians.

“If they’re saying, ‘Hey, we’re going to agree on what set of standards that our vendors need to meet,’ I think that’s awesome,” said Nick Szymanski, CIO and VP at Signature Healthcare. “And it gives at least, say, a site like mine, who’s not a Memorial Sloan Kettering, or HCA, huge systems, some type of framework, to say, ‘Okay, the big boys are using that.’ I think that’s a value to everybody.”—BH