BOSTON, Mass. - There's a forest about 45 minutes south of Salt Lake City that isn't a forest at all: It's a single living organism, with each tree's root system interconnected in a complex, interdependent tangle of life.
Greg Besegai, regional director at RiskRecon, sees third-party risk management as analogous to that Utah forest. As outsourcing becomes more and more common, an organization is no longer just a single company, but part of a larger, interwoven system.
Speaking at the Healthcare Security Forum in Boston on Monday, Besegai pointed to the trend of outsourcing in healthcare and made the case that managing risk -- and preventing digital malfeasance from bad actors -- means managing third-party relationships in a way that accounts for this increasingly complex web of partnerships.
Besegai pointed to a large, high profile breach of the American Medical Collection Agency, which promoted a U.S. senator to reach out not to the AMCA, but to one of its vendors, expressing concern about its supply chain management and third-party monitoring processes.
It drove home the idea that when one branch of the root system is affected, the whole system is affected.
"Companies see risk within the walls of their own organization," Besegai said. "In reality, you've created this massive root system; you need it to grow business continuity. You can outsource your systems, but you can't outsource your risk."
Citing results from an in-house survey of about 18,000 organizations, 5,000 of them in healthcare, Besegai said 96% of healthcare IT professionals believe threat actors have the upper hand. Hosts, domains and IP addresses are all potential targets and risk threats, and that risk only grows as vendor networks grow.
Risk can have a profound impact on the financial health of any organization, but especially in healthcare, where sensitive patient and financial information is often hosted on servers outside of an organization. Eighty-four percent of those surveyed said that's exactly where such information is kept. Thirty-five percent of those organizations have externally hosted assets with a high or critical security designation.
"Organizations are putting a large amount of trust in these external hosting providers, trusting them with a lot of information," Besegai said.
The larger an organization is in terms of revenue, he said, the more third parties it tends to use. With that in mind, it pays to consider not only which vendors they partner with, but where they're located. North America is at the bottom of the list when it comes to the prevalence of critical findings, with Asia topping that list.
So what should healthcare organizations do?
"Accept it," said Benegai. "That's step No. 1. It's not going to change. You're going to need to continue to leverage third parties for business continuity."
Luckily, what works internally also works externally. Companies can establish data and security policies at the pre-assessment phase, and can leverage questionnaires and other technologies that give them a feel for what the key vulnerabilities are of a given vendor.
"Third-party risk is not an exact science -- there are a lot of moving parts," said Besegai. "But there's a key tenant the CEO of our company uses: Trust but verify."