and the Healthcare Industry

High-profile breaches like those at CHI Franciscan Hospital and Mass General Hospital are examples of the increase in cyber attacks on healthcare providers where the common attack vector is a healthcare provider’s third party, or “business associate,” as defined by the Department of Health and Human Services.

Healthcare organizations rely on business associates to manage key aspects of their business, such as EHR systems, medical billing, and data analytics. Business associates that access personal health information (PHI) are required to comply with HIPAA regulations.

While the growing number of third-party related breaches points to the critical need for healthcare providers to establish third-party cyber risk management (TPCRM) programs, it also reveals the magnitude of the challenge for business associates.



HIPAA Privacy and Security Rules for the protection of personal health information apply to both healthcare providers and the business associates of covered entities. Are you “checking the boxes” or taking a proactive approach to risk, threats and vulnerability management?


According to a recent KLAS and CHIME study, 64 percent of healthcare providers conduct external risk assessments at least annually. For business associates, answering questionnaires from a multitude of upstream business partners is time consuming and costly. Wouldn’t it be easier if an exchange existed to efficiently perform ongoing risk assessments? Assess once, share with many.


Follow security best practices by understanding, “Which of my third parties pose the most risk to my organization today?” Adopt a risk-based vs. compliance-based approach to addressing exposure from your entire third party ecosystem.


It’s imperative that you move from a compliance-focused to risk-based strategy.  Emailing a questionnaire to your third parties and storing them in your GRC tool is not enough.  Without a risk-based process, you will continue to struggle answering the most important question, “Which of my third parties pose the most risk to my business today based on the current threat landscape?”

CyberGRX enables healthcare organizations and their business associates to execute on the following key components of a sound TPCRM strategy:

Identify – Maintain an updated and dynamic inventory of your third parties:  Ensure you have a complete view of your third parties and the changing nature of 1) your business relationship with each and expansion or contraction in your relationship, and 2) their business changes – acquisitions, divestitures and potential breaches.

Assess – CyberGRX provides a holistic understanding of your residual risk from each third party. As part of your overall strategy, ensure that you dynamically document residual risk from your digital ecosystem.

Mitigate — CyberGRX allows you to tier your third parties and do proper – and continuous – security due diligence on each.

Monitor and Collaborate – CyberGRX enables you continuously monitor your third-party portfolio for state changes and collaborate with your third parties to improve their security posture and lower your risk.