Third-Party Risk Management,
Governance & Risk Management,
Healthcare
New Guide Aims to Help Organizations Focus on Vendor Risks Strategically
The healthcare sector faces significant challenges in managing third-party security and supply-chain risks, mainly due to the multitude of vendors involved and the critical services they provide. Recognizing the complexities of these risks, the Health Sector Coordinating Council (HSCC) has launched a new guidance document designed to assist various health sector organizations, including patient care providers and insurance companies, in navigating these challenges.
Released this week, the HSCC’s Health Industry Cybersecurity Sector Mapping and Risk Toolkit—commonly referred to as the SMART toolkit—was developed over a span of 16 months, incorporating insights from 80 diverse organizations across healthcare subsectors such as pharmaceuticals, labs, and health IT.
The SMART Toolkit provides a structured approach to visualizing and assessing the systemic risks posed by third-party technology and services that are essential to operations in healthcare settings. The HSCC emphasizes that the document is intended for use by cybersecurity, supply chain, and operational executives across organizations of varying sizes.
The complexity of third-party risks is illustrated by the ramifications of incidents that can disrupt critical functions in healthcare. An example of this is the February 2024 ransomware attack on UnitedHealth Group’s Change Healthcare, which had far-reaching consequences for numerous medical practices, pharmacies, and healthcare entities.
Samantha Jacques, vice president of clinical engineering for McLaren Health and co-lead of the HSCC’s cybersecurity task force that developed the toolkit, articulates that the SMART Toolkit offers a differentiated approach to evaluating vendor risks. Rather than applying a uniform assessment across all vendors, the toolkit allows organizations to define “materiality” risk in the context of their specific operations, encouraging a focused evaluation of third parties that are crucial to their operational integrity.
By identifying critical workflows and the vendors supporting them, healthcare organizations can strategically allocate resources to mitigate identified risks more effectively. This shift in focus aims to reduce the time spent on assessing lower-risk vendors—thereby allowing organizations to concentrate their efforts on mitigating the risks that matter most.
Steven Adler, a partner at The Edmund Group and former director of enterprise third-party risk management at Humana, underscores the necessity for organizations to prioritize risk management amid increasing regulatory scrutiny. He advocates for a supplier risk model that categorizes vendors based on protected data volume, strategic importance, and annual spending, thereby enabling a more effective oversight process for third-party risks.
Ultimately, the introduction of the SMART Toolkit represents a strategic shift in how healthcare organizations can approach risk management by allowing them to evolve their methodology from one of mere assessment to proactive mitigation. This pivot allows organizations to better prepare for unforeseen events that could impact their operations in the future.
