The Birth of RiskOps - Part I: What is RiskOps?

Prologue

Over the past four years, Censinet worked on maturing third-party risk management programs with many healthcare system leaders from single hospital facilities to the largest, most sophisticated integrated health networks.

During this time, we helped thousands of healthcare leaders across clinical, business, IT roles and related functions including BioMed, research, supply chain, finance, legal, procurement, compliance, audit, security, and risk. We have seen hundreds of thousands of vendor and product risk questionnaire responses, assessments, remediations, and corrective action plans.

Out of all this work and experience, we’ve learned a lot about the processes, tools, and people involved across the enterprise. Most importantly, we learned that as an industry, we have a lot of work to do to realize our vision of taking risk out of healthcare.

As a healthcare community, we needed to act. Read The Healthcare RiskOps Manifesto.

Act I: Automate the Process

Our initial focus with providers, their teams, and their suppliers focused on reimagining the overall process for third-party risk management. We developed “Censinet 1.0” in partnership with a dozen or so early adopter health systems. This invaluable design cohort validated a few critical assumptions we had about the problem:

• Resource-intensive, manual processes were costly and too inefficient, with lots of rework, inconsistent workflows, and significant data sprawl.
• The legacy tools were not sufficiently solving the problem. Data breaches continued to climb with no end in sight. Most solutions were client/server or cloud-enabled applications, often built as generic data collectors for one enterprise at a time. Or worse, the tool was mostly a tech-enabled service that was simply “moving the cheese.”
• The problem was about to get a whole lot worse. CIOs quickly moved clinical and business processes to the cloud and began to connect medical and other devices to enterprise networks and the internet.

The attack surface was growing geometrically right from under healthcare. It was clear that the current approaches at that time were not going to scale to where the industry required them.

Out of this perfect risk storm, we released Censinet 1.0 in partnership with leading healthcare industry CIOs, CISOs, and their teams. Together, we revolutionized how third-party risk assessments were managed by automating the entire process on a cloud-native, two-sided network (i.e. transactional platform). Purpose-built for healthcare, Censinet automated workflows that completed assessments in 10 days or less (versus the 44 days or more on average with manual processes and legacy tools). We built out dynamic questionnaires for many different product types, from on-premise and cloud software and hardware to information exchange and personal protective equipment (PPE), to help with COVID-19 supply chain issues.

Finally, we made risk data actionable by releasing in-line findings, and automated corrective action plans to manage the mitigation and remediation of risks between providers and their third-party vendors and suppliers. This capability began to lay the foundation towards a much bigger vision of what was possible.

However, our work had only just begun.

Please check out Censinet RiskOps.

Act II: Integrate the Enterprise

One of the best and most demanding aspects of my job is creating a culture that connects directly to vision, mission, and values in a way that differentiates Censinet in the market. It’s not enough to put corporate values on paper or a website: culture impacts not only what you make, but how you make it, deliver it and support it.

Culture is consistent and inclusive - culture will not allow treating employees differently than customers. Culture has a pulse (stay seventy-two, come shine or rain). Culture, like a fish, rots from the head down. Bad cultures are a reflection of a company’s CEO and leadership team.

The heart of our culture is transparency. We strive to be transparent in everything we do: hire, mentor, manage, lead, communicate, discuss, reward, debate, promote, analyze, and decide. Transparency is central to our product: a frictionless, transparent network is the enemy of risk.
Transparency governs how we service and support our customers.

But we’re not perfect; we make our share of mistakes. Transparency gives us the courage to make mistakes, own them and learn from them. It also provides us with the freedom to push on assumptions and ask the type of questions that others just won’t ask:

• Why do we accept old assumptions that cost us time, resources, and effectiveness?
• Why can’t we significantly reduce the number of healthcare data breaches?
• Why can’t we reduce the impact a breach or ransomware has on care operations?
• Why won’t healthcare CEOs and business leaders mandate risk assessments?
• Why don’t we assess the risk of all vendors and products?

Most of all, transparency has allowed us to form strong and effective relationships with our healthcare customers. We speak with every customer multiple times a month. We learn so much through these conversations and relationships.

So, what does all this have to do with integrating the enterprise?

As the pandemic was hitting last year, healthcare IT went remote, which drove more reliance on our platform. Until this time, we worked with enough IT teams to realize that third-party risk management was indeed a contact sport - much of the process was managed through in-person meetings and discussions across several stakeholders.

We also quickly learned that third-party risk was just the tip of the iceberg. Risk processes permeated a healthcare system across various silos. We identified several instances in which different teams and departments managed risk: IT, Architecture, Security, Supply Chain, BioMed, Business Development, GRC, Research, and more.

Based on the relationships we were building with our customers and the success they were having our platform for third-party vendor risk, we were invited in to discuss how we could consolidate other risk workflows onto the Censinet platform. Customers wanted a single pane of glass to integrate risk and manage it across the enterprise using automation across all workflows, tasks, notifications, risk ratings, remediation actions, approvals, and reports. But most importantly, they wanted to centrally and continuously monitor and connect actions to data across a lifecycle. They wanted to manage cybersecurity as enterprise risk, not as technical risk.

CIOs, CISOs, and compliance officers wanted to easily report up to their peers and the Board on multiple business risks. And the risk analysts that supported them a quick and easy way to respond to the risk question of the week:

• How many high-risk vendors are we managing today?
• Which products need a Business Associate Agreement (BAA)?
• How many protected health information (PHI) records does this vendor

process for us?

• What is the status of these remediation actions? Why are they overdue?
• When was the last time we assessed this vendor?
• How is the product accessing our network?
• Did the recent Exchange hack impact our laundry service provider?

...and on and on and on...

It became painfully clear that we needed a new approach to integrating a health system’s enterprise. Risk management needed to become actionable. We had to integrate the practices of risk management with operations.

Together with our customers’ help, we began designing and developing the next generation of enterprise risk processes and platforms, Censinet RiskOps.