The Expanding Attack Surface You Don't Directly Control
The average health system maintains relationships with over 1,300 third-party vendors, from EHR platforms and medical device manufacturers to billing services and HVAC contractors. Each of these relationships introduces risk. The 2024 Change Healthcare ransomware attack was a stark, system-wide reminder: a single compromised vendor can disrupt claims processing for an entire nation's healthcare infrastructure, affecting billions of dollars in revenue and, more critically, patient care delivery.
Third-party risk management (TPRM) is no longer a checkbox exercise buried in procurement workflows. It is a board-level strategic concern. Yet many healthcare organizations still rely on point-in-time questionnaires and cursory BAA reviews to manage a risk surface that demands continuous, intelligence-driven oversight. This post outlines a practical, framework-aligned approach to building TPRM maturity in healthcare supply chains.
Regulatory and Framework Foundations
HIPAA Security Rule: The Baseline Obligation
The HIPAA Security Rule (45 CFR §164.308(b)(1)) requires covered entities to obtain satisfactory assurances from business associates that they will appropriately safeguard ePHI. This means Business Associate Agreements are legally necessary—but they are not a risk management program. BAAs define liability; they do not reduce the probability of a breach. CISOs must move beyond contractual compliance to operational assurance.
NIST Cybersecurity Framework (CSF) 2.0
The NIST CSF 2.0, released in February 2024, elevated supply chain risk management to a core function: Govern (GV). The GV.SC category now includes specific subcategories for establishing supply chain risk management strategy, integrating cybersecurity requirements into contracts, and conducting due diligence on suppliers. For healthcare organizations mapping to NIST CSF, this means TPRM should be woven into governance structures—not siloed within IT procurement.
HITRUST CSF and Third-Party Assurance
The HITRUST CSF provides a prescriptive, certifiable framework that many healthcare organizations use to evaluate vendor security posture. HITRUST's Third-Party Assurance Program allows organizations to accept validated or certified assessments from vendors, reducing assessment fatigue across the industry. Requiring HITRUST r2 certification for high-risk vendors is one of the most effective ways to standardize vendor risk evaluation at scale.
Building a Mature TPRM Program: Actionable Steps
1. Tiered Vendor Classification
Not all vendors carry equal risk. Establish a tiering model based on data sensitivity, system connectivity, operational criticality, and regulatory exposure. A Tier 1 vendor—such as a cloud-hosted EHR or a managed security services provider—warrants deep-dive assessments, continuous monitoring, and contractual incident notification SLAs of 24 hours or less. A Tier 3 vendor, like an office supply company with no data access, may only require basic due diligence at onboarding.
2. Pre-Contract Security Due Diligence
Integrate cybersecurity evaluation into the procurement lifecycle before contracts are signed. This includes reviewing SOC 2 Type II reports, HITRUST certifications, penetration test summaries, and insurance coverage. Require vendors to disclose their own subcontractor relationships—so-called fourth-party risk—since ePHI often flows further downstream than organizations realize.
3. Continuous Monitoring Over Point-in-Time Assessments
Annual questionnaires are necessary but insufficient. Supplement them with continuous external attack surface monitoring using platforms that track vendor security posture indicators such as exposed ports, certificate hygiene, DNS configuration, and dark web credential exposure. Tools like SecurityScorecard, Bitsight, and Black Kite provide ongoing risk intelligence that transforms TPRM from a periodic review into a living risk operation.
4. Contractual Cybersecurity Requirements
Go beyond the standard BAA. Include specific contractual provisions for: incident notification timelines (ideally 24–48 hours), right-to-audit clauses, minimum security control baselines (mapped to NIST SP 800-171 or HITRUST), data disposition requirements upon contract termination, and requirements for the vendor to carry cyber liability insurance. These provisions give your organization enforceable remedies—not just theoretical protections.
5. Incident Response Integration
Your incident response plan must account for vendor-originated breaches. Conduct tabletop exercises that simulate a critical vendor compromise: Can your team activate backup workflows? How quickly can you isolate affected integrations? Who is the vendor's security contact at 2 AM on a Saturday? The Change Healthcare incident demonstrated that organizations without tested vendor-failure contingencies faced weeks of operational paralysis.
Governance and Organizational Alignment
Effective TPRM requires cross-functional ownership. Establish a Third-Party Risk Committee that includes representation from information security, legal, compliance, procurement, clinical informatics, and finance. This committee should own the risk tiering methodology, approve high-risk vendor engagements, review continuous monitoring dashboards, and drive remediation when vendor risk ratings deteriorate.
Report TPRM metrics to the board regularly. Relevant KPIs include: percentage of Tier 1 vendors with current assessments, average vendor incident notification response time, number of vendors with critical unresolved findings, and concentration risk metrics showing dependence on single vendors for critical functions.
The Path Forward: From Compliance to Resilience
Healthcare supply chain attacks are increasing in frequency, sophistication, and impact. The organizations that weather these storms will be those that treated TPRM as a resilience strategy rather than a compliance obligation. Start by mapping your critical vendor dependencies, align your program to NIST CSF 2.0 GV.SC controls, demand HITRUST certifications from high-risk partners, and invest in continuous monitoring capabilities. The supply chain you fail to secure today will be the breach headline you manage tomorrow.