The Critical Role of Third Parties in Healthcare
Healthcare is about ensuring outstanding patient care. Delivering outstanding patient care is often ascribed to those in clinical roles, but with the ongoing digitization of healthcare, personnel in non-clinical roles now play a much more prominent part in care delivery. And that now involves the use of third parties including vendors, suppliers, contractors, and other service providers. Some are IT systems, others part of the supply chains, and many are people in supporting roles. And many of them have access to protected health information along with medical devices and other systems that have important roles on the patient care value chain. Unfortunately, many of these third parties are no match for the sophisticated cybersecurity risks that now seem to be overrunning our healthcare systems. Too bad the only tools many of them have for managing third parties are antiquated and unsuited to protect against risk. To make matters worse, there are now too many third parties to manage.
Legislating Safety Only Goes So Far
The Health Insurance Portability and Accountability Act (HIPAA) and its associated rules for privacy, security, breach notification, and enforcement had a significant impact on helping healthcare providers become more security-ready. But it wasn’t enough. Along came the Health Information Technology for Economic and Clinical Health (HITECH) Act to further promote the use of health information technology (HIT), most notably the adoption of electronic health records (EHRs). Along with the rise in EHRs, came the rise in risk. Along with this, HITECH also ratcheted up the enforcement of HIPAA rules around both privacy and security. HITECH also took aim at another critical risk factor: Business Associates.
Enter Business Associate Liability
The follow-on HIPAA Omnibus Rule then took the stringent business associate provisions of HITECH and incorporated them. Suddenly, business associates and their subcontractors became directly liable for HIPAA compliance and its rules around PHI. It also required healthcare providers to update their Business Associate Agreements (BAAs) and getting assurances that these third parties were in compliance. Business Associates and their subcontractor or now subject to audit by the Department of Health and Human Services (HHS), which can also levy fines on Business Associates for non-compliance. This, however, doesn’t let healthcare providers off scot-free, either. And here’s the rub: HITECH and market dynamics fueled an escalation in HIT that continues today unabated, but healthcare providers continue to struggle management of their Business Associates, third parties, and other vendors. This inability to sufficiently cover all these third parties creates an unnecessary – and unacceptable – cybersecurity risk exposure.
“Ensuring appropriate protection and use of healthcare data is a critical responsibility of healthcare organizations. Currently, every health system uses their own, unique security assessment for IT and digital health tools.”
-Dr. Adam Landman, Chief Information Officer, Brigham and Women’s Hospital
Solving The Third-party Risk Problem for Healthcare Providers
Censinet provides the first and only third-party risk management platform built by and for healthcare organizations to manage the threats to patient care that exist within an expanding ecosystem of more than 26,000 assessed vendors and products. With its unique Censinet One-click Assessment™ capabilities and Digital Vendor Catalog™, the Censinet Intelligent Risk Network Platform reduces the time to assess vendor risk from weeks to seconds, while automating inefficient workflows and providing continuous real-time insights into the changing risk profile of each vendor. Organizations achieve better ROI as automation, collaboration, and shared responsibility significantly increase throughput and reduce the need for more staff.
Integrating Into Provider Environments to Manage Third-Party Risk
Censinet integrates with leading supply chain, data analytics, IT operations, security, and compliance platforms such as ServiceNow, RSA Archer, and KLAS. KLAS, a healthcare research and insights firm, and Censinet have partnered to deliver a new Cybersecurity Readiness Assessment to help healthcare providers uncover risks earlier in the procurement process, immediately giving providers the confidence they need to make decisions quickly. Censinet has also partnered with KidsX, a global accelerator for digital health pediatrics innovation, to help consortium members and participating digital health startups streamline cybersecurity assessments that improve security processes and practices that meet HIPAA security and privacy rules.
Censinet has proven ROI of 300% to 450% across its provider customers by delivering value with significant reductions in cost, time and resources; productivity improvements by covering more, high-quality vendor and product risk assessments with less investments; faster procurement of digital health innovations that improve care and create new patient offerings; and overall risk reduction based on coverage and insight. Censinet consolidates risk functions managed across different departments, processes, and technologies on a single platform. These include IT cyber, BioMed (Medical Devices), supply chain (vendors), affiliate practices, enterprise, institutional review board (IRB), & internally developed software.
Without automation, the IT risk assessment process takes too long and offers little visibility into progress. This delay and lack of insight are often frustrating to Clinicians waiting to procure and use digital health and other innovations, resulting in process workarounds and shadow IT systems. Censinet significantly reduces the assessment time and provides Clinicians with transparency and visibility into the process. Over time, Censinet significantly reduces the risk of disruption to care delivery and patient harm due to cyber attacks such as ransomware. When an incident occurs such as a data breach or ransomware attack, Censinet provides the intelligence and insight required to reduce the impact on care.