Navigating Third-Party Risk Challenges for Telehealth Providers

The telehealth industry is one of the fastest-growing industries in the world, experiencing major growth following the recent COVID-19 pandemic. The use of telehealth services created many new avenues for people to gain access to healthcare services but also created brand new cybersecurity risks, particularly related to telehealth third-party vendors or suppliers.

In order to ensure third-party vendor security, implementing third-party risk management (TPRM) is a critical step in ensuring that telehealth service providers are protected against potential third-party breaches. However, before any TPRM implementation, it’s important to first understand how to navigate the third-party risks that telehealth providers face and which cybersecurity challenges affect them the most.

Find out how UpGuard helps healthcare organizations implement TPRM programs >

Who is considered a telehealth provider?

Telehealth providers are healthcare professionals, service providers, and organizations that deliver medical and health-related services through digital communications technologies. Telehealth programs and services can reduce the amount of in-person visits and offer more flexibility in scheduling and patient follow-ups.

Remote or telemedicine services they provide can include virtual doctor visits, online primary care, remote patient monitoring, mobile health applications, health information education, and other digital health services that help facilitate patient-provider interactions. Telehealth providers can range from traditional healthcare systems and hospitals expanding their services into digital platforms to healthcare startups that focus solely on virtual care.

What third parties do telehealth providers have?

Third-party vendors to telehealth providers are external organizations or service providers that help deliver services, technologies, or products that are essential for telehealth services to operate but are not part of the telehealth provider's organization. These vendors fill various needs, depending on which aspects of the telehealth services they support or enable.

Some common examples of third-party vendors to telehealth providers include:

1. Software providers: Companies that provide platforms for video conferencing, patient management systems, electronic health records (EHR) management, and other specialized medical software necessary for telehealth services.
2. Hardware providers: Suppliers of medical devices, computer hardware, or IoT devices that enable telehealth functionality, such as cameras, microphones, diagnostic devices, and other telemedicine equipment.
3. Cloud service providers (CSPs): Providers that offer data storage and data processing services. Telehealth providers rely on these services for hosting patient data, applications, and backup solutions.
4. Payment processors and billing services: Third parties that handle billing, insurance claims, reimbursements, and payment processing. These services are essential for managing the financial transactions associated with telehealth.
5. Data analytics companies: Firms that analyze health data to provide insights into patient care, operational efficiency, and strategic planning. These data firms may use AI technology to help telehealth providers improve their services.
6. Security and compliance consultants: Specialists who help telehealth providers meet regulatory compliance and cybersecurity standards (such as through HIPAA) and are crucial in protecting patient data and ensuring legal compliance.
7. Communication service providers: Companies that offer internet services and telecommunications support that ensure connectivity for telehealth platforms.

What third-party risks do telehealth providers face?

Because telehealth providers must rely on third-party services to operate, each third party becomes a new attack vector that can potentially compromise the network and information security of the provider. The most common third-party risks the telehealth providers may face include:

• Poor baseline cybersecurity practices: Third parties may not always adhere to the same cybersecurity standards that healthcare entities are required to follow and, thus, may not always practice safe cybersecurity actions. Poor cybersecurity practices can include a lack of authentication processes, poor password creation, lack of physical device security, no networking monitoring, or lack of access control.

• Data breaches: A compromised third party creates significant cyber risks for telehealth providers if they become victims of a cyber attack. If the third party has access to protected health information (PHI), cybercriminals could potentially compromise the entire healthcare supply chain.
• Social engineering: Most cyber attacks in today’s world are not the result of hacking or brute-force attacks — they result from social engineering, phishing, or ransomware attacks in attempts to gain unauthorized access to systems using stolen credentials. If a third party has access to sensitive healthcare data, breaching that third party could potentially be easier than going after the telehealth provider directly.
• Insider threats: Many breaches are the result of a human aspect, whether they are intentional or unintentional. Errors made due to poor training or lack of oversight could result in accidental leakage of credentials or sensitive data.
• Lack of compliance: Although third-party vendors must comply with HIPAA (Health Insurance Portability and Accountability Act) as a “covered entity”, many of these service providers are not fully compliant. These increase security and privacy risks that put the telehealth provider and patient safety at risk.
• System misconfigurations or outages: Because telehealth providers count on a number of third parties to operate, any system that malfunctions, goes down, or is misconfigured could cause the provider to be breached. Many zero-day exploits take advantage of an unknown system vulnerability to initiate an attack.

How telehealth providers can implement TPRM to better manage third-party risks

Third-Party Risk Management (TPRM) is a structured approach that helps telehealth providers identify, assess, manage, and monitor the risks associated with their third-party vendors. Implementing a robust TPRM program involves:

Perform vendor due diligence

Before onboarding any new vendor, telehealth providers should perform vendor due diligence, which means vetting the vendor or business associate completely before deciding to sign them on. The vendor due diligence process includes tracking the vendor’s biggest security concerns, including financial risk, cybersecurity risk, data security management, and more.

Conduct regular risk assessments

Conducting risk assessments of third-party vendors throughout the vendor lifecycle can help organizations track the security performance of the vendor and assess whether they are keeping their security postures up. Risk assessments are also critical during the vendor procurement process to decide if that vendor has too many security risks or has manageable risks that can be remediated.

Adopt a cybersecurity framework

Cybersecurity frameworks are especially useful tools to help healthcare organizations implement stronger, more robust security programs. Frameworks provide an outline of industry standards, best practices, and guidance for implementation to help organizations get their security programs off the ground and achieve compliance with industry regulations. By introducing a more structured approach to cybersecurity, frameworks are critical in helping organizations better manage their risks, especially from third parties.

Popular security frameworks for the healthcare industry include:

• NIST CSF
• HITRUST
• EU GDPR
• CCPA
• HITECH

Continuous monitoring

By continuing to monitor third-party security postures, organizations can better protect themselves against potential threats. If a vendor suffers a security incident or fails to implement adequate security protocols, the organization can identify security gaps with a continuous monitoring process. Healthcare entities can also use cybersecurity platforms like UpGuard to gain increased visibility into their third parties and get real-time access to vendor security data.

Incident response planning

Establishing incident response plans for a third-party security incident helps the telehealth provider react to a security breach quicker with detailed steps on what to do next. Incidents can be better contained with incident response planning, which includes disaster recovery plans, business continuity plans, and incident reporting.

Vulnerability scanning

Scanning for vulnerabilities is a critical part of TPRM because it scans the entire IT ecosystem (information technology) for potential exposures and security flaws. Many breaches are the result of unpatched vulnerabilities, which makes identifying and remediating them a priority. Organizations can use vulnerability scanning tools like those in UpGuard Vendor Risk to help them discover third-party vulnerabilities that require attention.

Use a SaaS security platform

Most healthcare organizations don’t manage their TPRM in-house — instead, they use third-party risk management solutions to help them manage their vendors. By using a TPRM solution to help them track up to thousands of vendors, they can easily identify their third-party risks and take necessary steps for remediation and mitigation. In addition, they can have their in-house security team work with specialized third-party risk analysts to build better overall TPRM programs.

Discover how UpGuard helps healthcare organizations manage their third-party risks >