How health organizations can effectively manage third-party risk

Jigar Kadakia

[Stephen] Why is there so much interest in third-party risk management going into the year 2020?

[Jigar] There’s been a lot of incidents with regards to third parties, both directed third parties and other third parties, tertiary folks. And in the healthcare space, third parties are a critical avenue in the supply chain function, and they conduct a lot of business on behalf of hospital systems, both from a system perspective and from an IT perspective. Many rely on third parties for niche solutions, skills, etc. And they are important and critical cogs in processing of data. And every time there’s a breach, whether it’s one that you’re familiar with or a different one that you’re not using, it just escalates the need to make sure our critical third parties are secure, safe, and they have a plan for business continuity.

A lot of the third parties that I’ve seen in the paper recently, they are small organizations with no business continuity or disaster planning in place. So, if they have a virus, a ransomware attack, their systems go down and it impacts us because we’re using them for critical business operations, both from a hospital perspective and from an IT perspective.

[Stephen] What are some ways that the healthcare providers watching HIMSS TV can begin to better manage their third-party risk and to work with their third parties?

[Jigar] First things first, they have to have an inventory of their third parties. They need to determine which third parties are the most critical, prioritize those, and then go do some type of assessment to make sure their third party has the tools, processes, procedures in place, where you feel comfortable. Whether it’s a risk assessment or a feasibility analysis, something where you feel comfortable with them and you’re okay with whatever their approach is.

[Stephen] How does Censinet differ from other products on the market today? Like what’s unique about it?

[Ed]  Yes, we take a different approach fundamentally. So, we believe the way to solve the problem is to connect the providers, with their supply chain of vendors. And have that transaction done in real time versus sending out questionnaires via Excel spreadsheets or Word documents or PDFs. We believe doing that online and enabling the vendor to do the right thing and do it one time, but share those results and share the evidence with the provider community at any point in time, is the way to go. Both sides benefit.

The providers can get their assessments done in a much faster time. Where we’re seeing averages today, before Censinet, somewhere in the eight to twelve weeks, we’re getting assessments done in less than five days. Also the accuracy and the quality of the assessments is really important as well. And you’re able to actually store and maintain that evidence now based on the responses to the questionnaires. That also is invaluable. So, you can correlate the responses with the actual evidence that’s provided on behalf of that third-party vendor.

[Stephen] Why are healthcare providers using Censinet?

[Jigar] One, it’s healthcare provider-only. Two, a number of healthcare providers helped create it. And three, I don’t know if it’s healthcare providers or the healthcare industry, but there seems to be a lot of sharing, and we’re all facing the same issues as it relates to third parties.

[Stephen] How is Censinet helping these providers achieve their goals? What are the benefits?

[Jigar] A consolidated platform for workflow for third-party risk assessments, scoring data, vendors that proactively are a part of the system. If I’m going to use a vendor and they’re already part of Censinet, then I don’t have to redo all the work. That saves man-hours and time from my team as well as from the third party themselves.

[Stephen] What are your predictions in 2020 for the risk management space?

[Ed] I think this will be the year of risk management. I think more than ever, there’s a lot of investment being made in this space. There are a lot of new companies and a lot of new vendors coming at this problem, trying to solve the problem. Again, we think creating the collaborative risk network is the way to do that, and that’s Censinet’s approach. But there are other approaches too and some of them are pretty recent. And some of them, again, are based on these old assumptions that, you know, you can spend a year and wait until a reassessment is done.

We don’t believe that. We believe in the continuous monitoring and the reassessment of a vendor. We think that’s the way to do it, and we think also you get more coverage of your vendors across your supply chain by doing it that way.

More Censinet News

Digital Marketing Manager

Censinet is the leading provider of healthcare IT risk solutions. Censinet RiskOps, our software-as-a-service platform, helps the top healthcare providers in the United States work with their worldwide vendor and supplier community to ensure that health information is protected and continuous... READ MORE
Healthcare Investments Image

Investing in Healthcare Cybersecurity in 2022

As 2021 comes to an end, Healthcare IT leaders begin to prepare and discuss their organization’s investment plans for the upcoming year. As an industry, the increasing number of healthcare data breaches and cyberattacks have (1) highlighted the need for better patient, data, and supply chain... READ MORE

Log4j: Meet the new zero-day, same as the old zero-day

What is the Log4j issue? The Apache Log4j 2 utility is a commonly used service component for logging requests for audit and review purposes. Log4J, written in Java, supports many projects, including multiple cloud services and various open-source and commercial enterprise products.  On December 9,... READ MORE

Discover What You Can Do

Discover What You Can Do

Let's chat about your priorities, what your process is like today, areas that you want to improve, and any gaps you would like to close. Learn More