Managing third-party risk in health care: 7 steps for NIS2 compliance

The healthcare sector faces significant challenges: a tight labour market, rising demand for healthcare, and increasing legal obligations. This pressures healthcare institutions to cut costs, improve care processes, and innovate, often without the necessary specialised knowledge. Collaborating with third parties helps bridge this gap, but how can you safeguard against the risks?

Healthcare organisations increasingly collaborate with third parties. This trend is continuing, with core processes frequently outsourced to partners, especially in ICT. Modern workplaces are being tendered, electronic client records (ECRs) are implemented, and more. No healthcare organisation stands alone anymore. This dependency brings risks. A service disruption or software failure can trigger a chain reaction that halts all healthcare services. To prevent this nightmare, the new European NIS2 directive requires healthcare organisations to manage third-party risks. But how do you do this pragmatically? Here are seven steps to guide you:

1. Establish governance

Who will be responsible for managing third-party risks? Typically, this is the COO, CRO, or CFO. Under their leadership, create a plan with clear objectives, scope, and the distribution of roles and responsibilities within the organisation for managing third-party risks.

2. Identify requirements

Conduct an inventory and determine which internal and external requirements to include. Generally, there are two types: internal policies such as information security policies, and external regulations such as laws (like NIS2) and industry standards (like NEN7510).

3. List all third parties

Know which third parties your organisation collaborates with to get a complete picture of potential risks. Create an inventory of all third parties and existing contracts. Your procurement system might generate this list, or you may need to build it from scratch. Involve employees who have contact with these suppliers, as they usually have the most knowledge about the services and can best assess the impact of an incident.

4. Prioritise third parties

Determine which third parties are most critical to your organisation. Develop a risk profile to assess this, including a checklist for each third party. Do they process personal data? Do they have access to your ICT network? Answering these questions helps prioritise which third parties to analyse first and how thoroughly.

5. Perform due diligence

Use the prioritisation from step 4 to guide your due diligence activities. Start with the most critical ICT suppliers by sending a questionnaire and requesting evidence such as certificates. Use standard questionnaires based on industry standards like NEN7510 or ISO, or develop your own. If needed, conduct inspections or external audits for a deeper investigation.

6. Mitigate risks

Review the risks identified in the due diligence process. Immediate action is required for risks deemed unacceptable: mitigate and reduce them to an acceptable level. Document this process thoroughly and inform stakeholders within the organisation and the third party.

7. Continuous monitoring

Managing third-party risks is an ongoing process. Your organisation's third-party landscape continually evolves. Keep the list of third parties up to date and regularly monitor them. If a partner is in the news for a cyber incident or financial trouble, you can anticipate and respond promptly. Use user-friendly tools to effortlessly maintain this process.

Conclusion

Here are a few final tips:

• ‍Choose a scalable, multidisciplinary approach: Ensure your approach can grow with your organisation. Many healthcare organisations collaborate with hundreds of critical third parties and face not only cyber risks but also sustainability risks. Choose a multidisciplinary solution.‍
• Avoid a checklist culture: Ensure employees genuinely understand the risks and think about solutions. Engage them actively in risk assessment and mitigation.‍
• Do not rely on simple indicators: Third-party risks cannot be captured in a simple number, such as risk ratings. It requires a thorough approach.‍
• Stay away from spreadsheets: Avoid using spreadsheets for managing third-party risks. They are often error-prone and difficult to keep up-to-date. Invest in a pragmatic approach, supported by affordable technology that automates and simplifies the work.

‍About the authors

Sven Kort is Managing Consultant at Innervate. Bram Ketting is co-founder of 3rdRisk, a technology company helping organisations manage third-party risks. A Dutch version of this blog post is published on the blog of Innervate.