About the Report

Healthcare organizations are struggling to prevent or mitigate the severity of a third-party or vendor-related data breach. However, as shown in this report, current approaches to assessing and managing vendor risks are failing. Problems with current approaches to third-party risk management are creating a real economic impact as these organizations are seeing an increase in HHS and OCR fines and investigations. Following are some of the reasons why third-party risk management programs are failing in healthcare.

  • The lack of automation and reliance upon manual risk management processes makes it difficult to keep pace with cyber threats and the proliferation of digital applications and medical devices used in healthcare.
  • Vendor risk assessments are time-consuming and costly so few organizations are conducting risk assessments of all their vendors. Currently, an average of 3.21 full-time employees are fully dedicated to completing vendor risk assessments and they spend an average of 513 hours monthly to complete these assessments. This represents approximately 10 percent of the total hours expended on third-party supply chain activities.
  • The indirect and direct costs of third-party risk management for the healthcare industry averages $23.7 billion annually.
  • Critical vendor management controls and processes are often only partially deployed or not deployed at all. If controls and processes are deployed, they are not considered very effective in reducing third-party risks.

Ponemon Institute surveyed 554 IT and IT security professionals in healthcare companies who are involved in managing their organizations’ vendor risk management programs (VRMP). All organizations represented in the study have VRMPs.