As we wrap up our blog series on the digital risk surface of healthcare firms, it is important to note that this study was not only created to be a source of information for gaps in cybersecurity programs, it is also meant to be a guide for creating better third-party risk management programs in the healthcare industry. Hospitals, labs, pharmaceutical companies, research institutes, etc. are vital to our world, and the data they hold requires the utmost care and security measures.

With multiple roles at healthcare providers responsible for managing third-party risk in multiple capacities, it’s important to understand who and how to take action. Not all of the findings from our recent report apply to everyone, so below you’ll find a checklist of ways to leverage these insights functionally into your role.

CISOs and Security Directors

  • It's time for healthcare CISO’s to move beyond managing vulnerabilities and start managing their risk surface on the Internet. Since the rate of critical findings in healthcare is the worst comparably to any other sector in the broader data set, it's critical to assess your current management of sensitive data and functionality that has exposure to the Internet. Are you concentrating risk in as few systems as possible? Where are those high-risk systems hosted? As this study shows, leading sectors are paying attention to these factors.
  • The healthcare sector is struggling to achieve the quality of cybersecurity in cloud-hosted environments that they have realized on-prem. If you think you are ready, you’ll have to be doing something dramatically different than your peers. Is that the case?
  • While your organization may be doing well, data shows your critical vendors and partners in other sectors may not be. Does your third-party risk team have the resources to ensure they perform to your standards? What can you learn from your critical, yet low-risk vendors?

Third-Party Risk Teams

  • Consider shaping the breadth and depth of your third-party assessments based on industry. The data suggest it's worth allocating more resources to challenged sectors such as healthcare and professional services while backing off on leaders such as credit card issuers and commercial banks.
  • Effective control of cloud computing is problematic for all industries. Do you know the extent of your vendor’s cloud-computing usage? Is your cloud assessment methodology holding vendors to a high standard of performance?

Internal Security Teams

  • It is on you to define and execute the strategies to successfully manage your risk surface across all dimensions. Implement processes to shape your risk surface to be more defensible even if it means accepting the reality of poorly performing risk scoring as a starting point to build a more robust program.
  • The patterns and expertise for managing on-prem computing were developed over decades. Today’s pressing threat pressure does not provide the same luxury of time for figuring out cloud computing security. It is on you to raise the red flag if cloud computing is moving faster than your teams are capable of securing it.
The insights we gathered during our research were combined into one report that you can download here. Stay tuned for more security research to come from RiskRecon and Cyentia Institute.