Skip to main content

Third-Party Cloud Computing Risk Management Guide Now Available for Healthcare Providers

Analysis  |  By Scott Mace  
   August 02, 2022

Cloud Security Alliance guide describes risks to everything from patient privacy to an organization's reputation.

Healthcare organizations looking for guidance on managing third-party vendor security risks have a new resource, thanks to the Cloud Security Alliance (CSA).

Third-Party Vendor Risk Management in Healthcare gives an overview of these security risks, and offers guidance on identifying, assessing, and mitigating third-party vendor risks going forward.

Examples of risks, use cases, and tools for managing these risks are included in this toolkit. Different types of risk are described, including cybersecurity, reputational, compliance, privacy, operational, strategic, and financial.

“Healthcare delivery organizations entrust the protection of their sensitive data, reputation, finances, and more to third-party vendors," James Angle, the paper’s lead author and co-chair of CSA's Health Information Management Working Group, said in a press release. "Given the importance of this critical, sensitive data, combined with regulatory and compliance requirements, it is crucial to identify, assess, and reduce third-party cyber risks. These risks are even more prevalent in the healthcare industry due to the lack of automation and the proliferation of digital applications and medical devices used, time-consuming and costly vendor risk assessment procedures, and the lack of fully deployed critical vendor management controls."

Health systems that use third-party technology vendors create an expanded attack surface, giving attackers an opportunity to breach those vendor-based systems, steal data from them, or use those systems to gain access to IT platforms.

And yet, use of third-party technology is projected to continue, said Michael Roza, a contributor to the paper, particularly as health systems focus their limited resources on core objectives and outsource support services to third-party suppliers.

The objective of the CSA Health Information Management Working Group is to advise health information service providers on how to deliver secure cloud solutions, including services, transport, applications, and storage, to their clients, and to increase cloud awareness among all aspects of healthcare and related industries.

CSA invites individuals interested in participating in its research and initiatives to join the working group.

Scott Mace is a contributing writer for HealthLeaders.

Get the latest on healthcare leadership in your inbox.