Healthcare Disrupts the Status Quo in Vendor Risk Management Solutions
In September of 2017, we founded Censinet with a big vision and mission: Take the risk out of healthcare by becoming the “trusted network” for third-party vendor risk management. in U.S. healthcare by 2022. Pretty big mission -- but is third-party...
In September of 2017, we founded Censinet with a big vision and mission: Take the risk out of healthcare by becoming the “trusted network” for third-party vendor risk management. in U.S. healthcare by 2022. Pretty big mission -- but is third-party vendor risk really that big of a problem?
Cyber security, privacy and regulatory requirements mandate that every healthcare provider assess, monitor and mitigate risks caused by third-party vendor products or services. Healthcare companies may have their own house in order with their internal risk assessment process to safeguard confidentiality, integrity and security of PHI and other sensitive assets. However, they must also ensure their third-party vendors and overall supply chain assesses and addresses their risks. Third parties that turn a blind eye toward ongoing risk assessments open their clinics and hospitals up to breaches that can destroy your healthcare system. As most security professionals know, a security program is only as strong as the weakest link. Today, the weakest link is quickly becoming third-party vendors and the supply chain.
Last year the Ponemon Institute found that third parties were responsible for 56% of reported breaches. And this includes the biggest of the big. When Target was hit, the attack was done by stealing credentials from an HVAC company that partnered with the retailer. This resulted in compromising the records of 41 million consumers and cost Target $18.5 million.
More bad news, the Ponemon survey of 600 organizations with vendor data risk management programs discovered that a mere 38% actually measure security and privacy practices of all potential vendor partners before engaging with them. Think about that: Most vendor risk management programs are merely point-in-time exercises. Risk assessments may be performed during the pre-purchase process and then annually, usually across a subset of third-party vendors. Why the lack of coverage?
Most organizations tend to focus on “good enough” compliance. No company wants to be the “most secure” organization and over invest. They want to cover the requirements as written. Healthcare is no different. Many healthcare providers focus primarily on meeting regulations and avoiding fines. More process and technology mature health systems with defined and automated third-party vendor risk management programs may take additional steps vetting their third parties for risk using NIST, SOC2 or HITRUST frameworks and costly annual certifications and assessments. Most, however, implement risk assessments on their own, managing custom questionnaires developed using Google or Microsoft Excel spreadsheets that allow third parties to self-report on their overall security status and risk health. Manual processes, ad-hoc tools, inefficient workflows and siloed data compound the issue and critically constrain healthcare providers from moving forward with any leverage.
And it is just as bad on the third-party vendor side. Third parties that work with numerous healthcare providers are besieged with these risk questionnaires, which are detailed and often different. As a result, the third parties make mistakes, miss deadlines, and often omit critical security information. Moreover, the results of these questionnaires are only as good as the questions themselves, which can be limited in scope, inconsistent, dated and stale and more importantly fail to ask critical and timely questions that would truly define the state of third-party vendor risk. To make matters worse, most third party vendors answer the questionnaires themselves – that is, they “self-assess” their own risk. Fox – meet hen house.
This serious issue is becoming more critical every day. Today’s healthcare organizations work with more third-party vendors than ever, contractors that have access to their confidential and regulated data, and that offer cyber-criminals entry points into their network. In fact, Price Waterhouse Coopers reported that 28% of security problems were due to insecure vendors and partners.
A report from Forrester, “Vendor Landscape: Third-Party Risk Intelligence”, walks through these issues in some detail. “With the rapid expansion of strategic partners, suppliers, vendors, affiliates, and other third parties, decisions about how to allocate limited resources become even more complex. Over 40% of global business and risk leaders believe their firms experienced meaningful increases in their level of third-party dependence over the past year alone. To make matters worse, risk managers must consider a growing set of risk issues, such as mounting cyber threats, more severe environmental and reputational impacts, and destabilizing geopolitical and physical safety concerns with companies' global footprints,” Forrester argued.
At the same time, regulations are getting tougher as new rules are added, and enforcement becomes more stringent. Under these rules such as HIPAA, you can be held accountable for the security problems of your third parties just as if they were your own. Some rules require you to make sure that your “business associates” have strong security measures such as encryption, access control, notification of breaches, and deep protection for sensitive confidential data such as ePHI.
In addition, under HIPAA rules, third parties, whether they are considered covered entities or business associates, must comply with HIPAA. This gives you a leg up as you can look at whether there have been any infractions, and ask them to document precisely how they comply with HIPAA.
The Path to Risk Management Wellness
While the healthcare industry may be facing a daunting challenge with third-party vendor risk management over the next three years, newer approaches and solutions are coming to market to help. Make no mistake: third-party vendor risk management is quickly becoming a board-level issue; the Gartner Group estimates that 75% of the Fortune Global 500 organizations will handle vendor risk management as a board level initiative by 2020.
Check back with us on this topic – we’ll cover the macro issues that healthcare providers face with third-party vendor risk management, the challenges that our customers experience, and lessons learned through the successful application of technology and processes by the people on the front lines.
Let me know what you think? Send me your thoughts, questions, or story ideas to firstname.lastname@example.org.