Healthcare Disrupts the Status Quo in Vendor Risk Management Solutions
Post Summary
Third-party vendors often have access to sensitive healthcare data and can become entry points for cybercriminals, making vendor risk management essential for protecting patient information and maintaining compliance.
According to the Ponemon Institute, third parties were responsible for 56% of reported breaches, highlighting how vulnerable the healthcare supply chain is to cyber risks.
Healthcare providers often rely on manual processes, custom spreadsheets, and outdated tools, which lead to inconsistent assessments, siloed data, and missed risks.
HIPAA regulations hold healthcare organizations accountable for the security of their third-party vendors, requiring compliance with measures like encryption, access controls, and breach notifications.
Yes, modern approaches and technologies are emerging to automate and centralize vendor risk management, improving efficiency, compliance, and cybersecurity.
Visit Censinet’s website for insights and solutions tailored to healthcare provider needs.
In September of 2017, we founded Censinet with a big vision and mission: Take the risk out of healthcare by becoming the “trusted network” for third-party vendor risk management. in U.S. healthcare by 2022. Pretty big mission -- but is third-party vendor risk really that big of a problem?
Cyber security, privacy and regulatory requirements mandate that every healthcare provider assess, monitor and mitigate risks caused by third-party vendor products or services. Healthcare companies may have their own house in order with their internal risk assessment process to safeguard confidentiality, integrity and security of PHI and other sensitive assets. However, they must also ensure their third-party vendors and overall supply chain assesses and addresses their risks. Third parties that turn a blind eye toward ongoing risk assessments open their clinics and hospitals up to breaches that can destroy your healthcare system. As most security professionals know, a security program is only as strong as the weakest link. Today, the weakest link is quickly becoming third-party vendors and the supply chain.
Last year the Ponemon Institute found that third parties were responsible for 56% of reported breaches. And this includes the biggest of the big. When Target was hit, the attack was done by stealing credentials from an HVAC company that partnered with the retailer. This resulted in compromising the records of 41 million consumers and cost Target $18.5 million.
More bad news, the Ponemon survey of 600 organizations with vendor data risk management programs discovered that a mere 38% actually measure security and privacy practices of all potential vendor partners before engaging with them. Think about that: Most vendor risk management programs are merely point-in-time exercises. Risk assessments may be performed during the pre-purchase process and then annually, usually across a subset of third-party vendors. Why the lack of coverage?
Most organizations tend to focus on “good enough” compliance. No company wants to be the “most secure” organization and over invest. They want to cover the requirements as written. Healthcare is no different. Many healthcare providers focus primarily on meeting regulations and avoiding fines. More process and technology mature health systems with defined and automated third-party vendor risk management programs may take additional steps vetting their third parties for risk using NIST, SOC2 or HITRUST frameworks and costly annual certifications and assessments. Most, however, implement risk assessments on their own, managing custom questionnaires developed using Google or Microsoft Excel spreadsheets that allow third parties to self-report on their overall security status and risk health. Manual processes, ad-hoc tools, inefficient workflows and siloed data compound the issue and critically constrain healthcare providers from moving forward with any leverage.
And it is just as bad on the third-party vendor side. Third parties that work with numerous healthcare providers are besieged with these risk questionnaires, which are detailed and often different. As a result, the third parties make mistakes, miss deadlines, and often omit critical security information. Moreover, the results of these questionnaires are only as good as the questions themselves, which can be limited in scope, inconsistent, dated and stale and more importantly fail to ask critical and timely questions that would truly define the state of third-party vendor risk. To make matters worse, most third party vendors answer the questionnaires themselves – that is, they “self-assess” their own risk. Fox – meet hen house.
This serious issue is becoming more critical every day. Today’s healthcare organizations work with more third-party vendors than ever, contractors that have access to their confidential and regulated data, and that offer cyber-criminals entry points into their network. In fact, Price Waterhouse Coopers reported that 28% of security problems were due to insecure vendors and partners.
A report from Forrester, “Vendor Landscape: Third-Party Risk Intelligence”, walks through these issues in some detail. “With the rapid expansion of strategic partners, suppliers, vendors, affiliates, and other third parties, decisions about how to allocate limited resources become even more complex. Over 40% of global business and risk leaders believe their firms experienced meaningful increases in their level of third-party dependence over the past year alone. To make matters worse, risk managers must consider a growing set of risk issues, such as mounting cyber threats, more severe environmental and reputational impacts, and destabilizing geopolitical and physical safety concerns with companies' global footprints,” Forrester argued.
At the same time, regulations are getting tougher as new rules are added, and enforcement becomes more stringent. Under these rules such as HIPAA, you can be held accountable for the security problems of your third parties just as if they were your own. Some rules require you to make sure that your “business associates” have strong security measures such as encryption, access control, notification of breaches, and deep protection for sensitive confidential data such as ePHI.
In addition, under HIPAA rules, third parties, whether they are considered covered entities or business associates, must comply with HIPAA. This gives you a leg up as you can look at whether there have been any infractions, and ask them to document precisely how they comply with HIPAA.
The Path to Risk Management Wellness
While the healthcare industry may be facing a daunting challenge with third-party vendor risk management over the next three years, newer approaches and solutions are coming to market to help. Make no mistake: third-party vendor risk management is quickly becoming a board-level issue; the Gartner Group estimates that 75% of the Fortune Global 500 organizations will handle vendor risk management as a board level initiative by 2020.
Check back with us on this topic – we’ll cover the macro issues that healthcare providers face with third-party vendor risk management, the challenges that our customers experience, and lessons learned through the successful application of technology and processes by the people on the front lines.
Let me know what you think? Send me your thoughts, questions, or story ideas to info@censinet.com.
Key Points:
Why is third-party risk management a pressing issue in healthcare?
Third-party vendors are increasingly integrated into healthcare operations, often handling sensitive patient data and regulated information. Unfortunately, these vendors can act as weak links in the cybersecurity chain, with 56% of breaches attributed to third parties, according to the Ponemon Institute. Cybercriminals exploit these vulnerabilities, making vendor risk management a critical priority for healthcare providers.
What inefficiencies exist in current vendor risk management processes?
Healthcare providers frequently rely on manual processes, such as custom spreadsheets and self-reported questionnaires, to assess vendor risks. These methods are often inconsistent, outdated, and prone to errors. Third-party vendors also face challenges, as they must complete multiple, often redundant, risk questionnaires for different clients, leading to mistakes and missed deadlines.
How do HIPAA regulations impact third-party risk management?
HIPAA holds healthcare organizations accountable for the security practices of their third-party vendors, requiring compliance with measures like encryption, access controls, and breach notifications. Organizations must ensure that their “business associates” meet these standards, as noncompliance can result in significant fines and reputational damage.
Why is vendor risk management becoming a board-level issue?
As third-party reliance increases, so do the risks associated with vendors. Gartner predicts that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a board-level initiative due to mounting cyber threats, tougher regulations, and the reputational stakes tied to data breaches.
What solutions exist to address inefficiencies in vendor risk management?
Newer technologies and approaches are emerging to automate and streamline vendor risk management in healthcare. These solutions centralize data, provide real-time insights, and reduce manual workflows, ensuring compliance and improving cybersecurity measures.
How can healthcare providers prepare for the future of vendor risk management?
By adopting modern technologies and frameworks like NIST, SOC2, or HITRUST, healthcare providers can create more efficient, automated, and secure vendor risk management programs. These tools help organizations stay compliant, mitigate risks, and protect patient care.
