11 Secrets TPRM Solution Vendors Won’t Tell You

The operational objective to “do more with less” is more relevant today than ever before. But what does this actually mean?

The healthcare industry has invested more on security programs and tools over the last 10 years. However, as a percentage of IT budgets, health systems are spending a lot less on protecting themselves than other industries. Unfortunately, the attack surface and sophistication of hackers has increased. The number of cloud software vendors and network-connected devices continues to rise, as does the health system’s reliance on these third parties to deliver care.

Data breaches cost more and more than they ever did. IBM just released their data breach report last week and it's a really interesting read. The average breach in healthcare costs over $7,000,000. Medical records theft outpaces every other data in terms of individual costs.

With more connected technology and devices in use at health systems, it’s no surprise that security teams struggle to keep up. There’s more to protect, less personnel to protect it, and not enough time or budget to augment staff. To make matters worse, the recent pandemic has forced most healthcare IT teams to not only secure remote employees, but to operate remotely themselves. High-touch, manual processes such as vendor risk management can no longer operate effectively in this environment. Automation and collaboration tools can help.

At last tally, we counted 40+ software vendors claiming to help CISOs with third-party risk management programs. How can IT leaders sort these options effectively and accurately? How do we ensure that the tool you choose truly enables your team to do more with less?

We’ve captured "11 secrets that your risk vendor won’t tell you" to consider as you evaluate solutions for third-party risk management.

Here are 11 secrets TPRM solution vendors won’t tell you:

1. You need to assess 100% of vendors because all of them may put your business at risk
2. You’ll only be able to afford to assess critical and high-risk vendors
3. Their software is generalized for use by every industry
4. Their platform is delivered as a tech-enabled service, but is driven by consultants
5. Assessments may be completed on your behalf by offshore contractors
6. Their solution is very flexible and as such, requires solutions engineers to customize, configure, and support it, at significant cost
7. There is no CISO on-staff, nor do they use their own solution to assess their own products or company’s security risk
8. The trust certification you would receive from a vendor may not require an assessment of all controls
9. The trust certification you would receive from a vendor being assessed is only good if the product or organization never changes anything at all
10. Regardless of whether your vendors supply a testing certificate they obtained, they should always additionally complete a risk assessment questionnaire
11. One of the best ways to manage vendor risks to your data is to train your employees about data risk both in your enterprise and in broader cybersecurity terms

What do these “secrets” reveal? It shows that in addition to tools for automating work to increase speed, what’s absolutely necessary is a change in process and perspective where the Healthcare Organization (HCO) becomes 100% risk-aware. Prioritization or stratification of risk is inadequate and even inappropriate, when compared to assessing risk for 100% of vendors. Risk doesn’t discriminate - it finds the weakest path, or attack vector, into your organization which may be the “low-risk” vendor.

What are other ways you can build a more effective risk management program? In organizations we see improving, the CISO is driving the conversation to remove and break down departmental silos and to encourage collaboration. Involving other departments early and educating them to understand cause and effect for data, financial, and reputational risks when it comes to cybersecurity has proven highly effective.

Not only are these IT departments perceived as a collaborative partner instead of a roadblock, but the efficiency and transformation of the organization is greatly improved in terms of adopting beneficial new technologies. Healthcare is in the very early stages of this transformation. Connecting risk awareness and the desire to adopt technologies across the organization is good for the company. Visibility for every stakeholder ensures they’re both included and understand the ways they can protect enterprise and patient data.

When the CISO demonstrates how reducing risk is a collaborative effort, it increases trust and satisfaction from clinicians, business unit owners, and the board. With interdepartmental support, the board aligns resources, and ultimately processes move faster. Risk is truly a contact sport. It must include more than just the risk analysts.

In this context, how is “more with less” defined in practical terms? Less does not need to be a negative term. When it takes less time to do something or you meet less resistance, those are positives. However, it may mean that you need to complete more risk assessments with fewer employees and fewer dollars on services. This can get in the way of improving overall strategy, hiring, conducting employee training, etc.

A lot of the “problem” with effective and efficient risk management comes from outdated assumptions and approaches. As an industry, we must continually challenge earlier assumptions about the way processes, tools, and resources led things to get done. Why does it take 6-9 months to complete a certification which becomes out-of-date the minute a material change to the vendor’s security posture or product is made? Most vendors surveyed by the Ponemon Group state that these security certifications are outdated within 3 months.

Consider the example of tiering or prioritizing vendor risk assessments based on criticality or effect on the business. This is an artifact left over from a belief it was not possible to assess 100% of vendors. That’s no longer true. It is possible to assess 100% of vendors, and even re-assess them regularly, without adding employees to do the work.

Is there evidence that shows there’s enough time and attention to assess 100% of vendors? Yes, because real automation doesn’t just digitize manual work. That’s not automation, that’s merely digitization. Several of the tasks risk analysts were performing by hand can be done entirely by software. When freed from these manual tasks, analysts can concentrate on decision-making instead of laborious administrative functions such as managing spreadsheets, scoring hundreds of answers to questions, searching through email for information, conducting follow-up calls with vendors, and communicating with clinicians who demand results yesterday.

Not only does true automation process a higher volume of risk assessments, it scores them instantly and more accurately and can even make specific recommendations for remediation steps. The creation of the remediation plans is one thing, but automation should also facilitate back and forth negotiation with the vendor, and tracking the remediation steps to make sure promises are kept. Ultimately, automation should enable organizations to quickly visualize and report on all of these things. The prioritization that occurs today is about addressing the needs of the organization as a whole instead of being about how much of a list of vendors the organization can assess this year.

With automation you can spend more time testing operations and verifying that these critical vendors have the right incident response plans in place. Reclaiming time through automation means you can do tabletop exercises with your key suppliers. You also get time to educate the employee base. Employee training is highly valuable! You can help employees understand what the different threat vectors look like and how to identify vulnerabilities in tools they are using. That education will go a long way to keep everyone vigilant; and to know and really understand how to respond when attacks arrive.

Think through the ROI and the cost. Map out what your current workflow looks like. Know the time it takes at each step in the process and evaluate how automation will eliminate those efficiencies both directly and indirectly. For example, directly you may streamline workflows, but indirectly bring more people that are involved into the process and give them more visibility. When the procurement officer and compliance head have visibility of where a vendor is in the process of onboarding or reassessment or winding down and securing data after a contract is terminated, these are administrative inquiries the IT department no longer needs to field.

Supply chain, procurement, legal, contracting, etcetera are all able to work in concert, sometimes for the first time. This can also give your organization leverage with vendors. Take an example where a low dollar product from a vendor has security holes that the vendor isn’t motivated to fix, but your organization has five products from this vendor. Contracts are up for renewal for the high dollar items, and now you can see the interplay. You can leverage the total value of the relationship to win support from the vendor in plugging security holes with an otherwise low-value product.

Hackers and cybercriminals don’t choose just “critical” vendors that you’ve prioritized. They use automation to scan the entire attack surface and look at every and all opportunities to penetrate your data systems. Use your own automation solutions to keep up with the volume of opportunities hackers have. It is guaranteed hackers look at every one of your vendors as an attack vector. You need to find the vulnerabilities before they do. We know no organization is 100% risk-free, but you can become 100% risk-aware.

Technology alone is never going to solve all your problems. You need strategic thinking and best practices that guide your program. Be clear on your program objectives, as support from the whole organization is what ensures the best kind of relationships with vendors will be what manifests. Review your processes quarterly and make adjustments when you find value in change. And find a solutions partner that is oriented to your industry. Make a checklist for your organization. Many inefficiencies arise when tools are too generic and don’t inherently understand how you need to conduct operations.

The end goal for HCOs is to adopt new technology quickly and safely. This is among the assets you promote to consumers. Cooperation, visibility, and efficiency all lead to better outcomes, both for the organization’s finances and ultimate for patient care.

Do you agree? Send me your thoughts at ceo-blog@censinet.net