Readers Write: Modernizing Healthcare’s Third-Party Risk Approach
Modernizing Healthcare’s Third-Party Risk Approach
By Ryan Redman, JD
Ryan Redman, JD is product manager of marketing at Onspring.
Oracle Health’s announcement of its second data cyber incident in March of this year shocked healthcare providers and customers. Even more alarming was the specific data was impacted that is housed in its legacy cloud infrastructure.
According to publicly available information, approximately 6 million records containing protected health information (PHI) were likely compromised despite Oracle’s attempts to downplay the severity of the potential compromise. The repercussions left hospitals struggling to identify exposed data as the incident reminded compliance officers of the challenge of considering all data outside of centralized oversight, including legacy infrastructures, when accounting for third-party risk.
Many of these healthcare compliance professionals must rely on third-party risk strategies with limited visibility into the many networks of contractors, partners, and hosted environments that they are tasked with managing. Beyond compromising legacy infrastructure data, Oracle’s cyber incidents exposed the damaging compliance gap in how healthcare organizations manage third-party relationships. Healthcare compliance teams must adopt real-time, integrated GRC tools that boost visibility, reduce manual work, and enable proactive risk response to close this gap and protect their data.
The Hidden Dangers of Legacy Infrastructure and Outdated Third-Party Risk Strategies
It’s easy for legacy systems to fall by the wayside within healthcare’s intricate network of active systems that span internal platforms, external platforms, and cloud-hosted data. Using third parties only heightens critical risks. In Oracle’s case, the servers had not yet fully migrated to the company’s new environment, leading attackers to exploit compromised credentials to access those systems. Teams overlooked what appeared to be outdated, dormant infrastructures. Bad actors accessed sensitive data, and traditional assessment methods were unable to detect this risk.
Healthcare organizations face serious compliance consequences when third parties fail to safeguard patient data, whether due to misconfigured access, missed vulnerabilities, or neglected systems. In 2024, the healthcare sector emerged as the most targeted industry for data breaches, proving that third-party risk assessments are not cutting it. Often only conducted periodically and involving emailed surveys, spreadsheets, and disconnected records, these assessments result in hours of manual work and provide a limited, static view of risk. Outdated methods fail to catch emerging vulnerabilities in legacy systems over time. Risks often materialize by the time the next scheduled compliance review comes, meaning sensitive data has already been exposed.
Five Essential Steps to Improve Compliance Oversight
Healthcare organizations must take action to strengthen their third-party risk posture, and the following actions can help turn policy into practice.
- Create a single source of truth for evidence and documentation. A secure, centralized repository ensures that materials that are relevant to organizational compliance are version-controlled and always accessible.
- Track and classify third-party integrations and engagements. Different use cases with the same third parties can carry varying levels of risk. A clear inventory with engagement-level context supports more accurate classification and visibility.
- Automate risk scoring and review cycles. Configurable scoring models based on regulatory frameworks allow compliance professionals to consistently assess third-party risk without manual intake processes.
- Move from periodic reviews to continuous oversight. Periodic reviews leave critical gaps in risk oversight. Real-time alerts through continuous monitoring flag when risk scores increase with new findings.
- Develop response plans for third-party risk. Organizations must regularly test even the most comprehensive risk programs through tabletop exercises or simulations.
Ultimately, maintaining trust is vital to compliance, and losing it comes at too high a cost.
Beholder's Share can be supported in software without incurring much technical cost by supporting cosmetic configuration. Some Epic reports allow…