Third-Party Vendor Risk Management in Healthcare

Risk Management

One of the realities I’ve seen is that the healthcare CIO is largely a vendor manager. I’ve grown that view a bit to include the management of people, but that’s the majority of a CIO’s job. Manage the people that work for the CIO and manage the vendors that work with their organization.

This is not a knock on CIOs. This is really important work that they’re doing. Although, it is a recognition that much of the risk they take on as CIO is dependent on the vendors with whom they work. This is true from an innovation perspective where the innovations of the vendor will either make the CIO look really good or really bad. However, it’s also true from a multitude of other financial, legal, security, and reputation standpoint as well.

How then are CIOs managing their third-party vendor risk?

I’m sad to say that the reality for most organizations is simply: a bunch of spreadsheets.

Chew on that for a minute. A CIO’s third-party risk is being managed by a bunch of spreadsheets. I love a spreadsheet as much as the next person, but we know that a file on Sharepoint is the place where documents largely go to die. Plus, managing hundreds of spreadsheets across a wide variety of vendors is brutal.

This is why I was intrigued when the opportunity to meet with Ed Gaudet, CEO and Founder of Censinet was offered to me. Plus, I was able to meet with two of their customers: Aaron Miri, CIO at The University of Texas at Austin, Dell Medical School and UT Health Austin, and Joel Vengco, SVP & CIO at Baystate Health.

For those not familiar with it, Censinet offers the first Third-Party Vendor Risk Management Software platform for healthcare. Both Aaron and Joel gave the strongest recommendation for a software that I’ve seen from a CIO in a long time. Likely because they’d lived the life of managing risk using spreadsheets and the pains associated with such a process.

I asked Ed Gaudet to share what areas of risk management they covered in their platform and he shared the following:

“Censinet provides risk questionnaires for pre-purchase initial risk assessments and post-purchase reassessments. These questionnaires assess 5 risk areas: Financial, Legal and Regulatory, Information Security, Availability, and Resiliency. Each risk area has 1 or more assessment domains. All questionnaires are based on and map to industry standard frameworks and regulations such as NIST, ISO, HIPAA, GDPR, and PCI.

Questionnaires support several product types: on-premise software/hardware, cloud software/hardware, hybrid, medical devices, mobile applications, consultancy. Censinet also supports healthcare-specific use cases such as assessing the risk of affiliated physician practices, internal software development projects (SDLC), information exchange between covered entities, institutional research board (IRB) initiatives, and internal enterprise risk assessments.”

As Aaron Miri told me, “It’s so simple and useful, you wonder why no one had done it before.”Sometimes it’s the simplest ideas that are the best. The power to me is that it provides one cloud hosted option to track all of your risk management in one place. Just having that standardized process is a huge help on its own.

However, talking with them I learned of some other nice benefits. The first is the ability for healthcare organizations to collaborate with other healthcare organizations to ensure compliance. Lest you think they’re sharing compliance data, they’re not. Each organization has their own compliance efforts. However, Joel Vengco pointed out how he loved Censinet because it provided him the opportunity to collaborate with people like Aaron Miri who may have already dealt with compliance with a certain vendor or other risk management situation. Basically, Joel can discover things he should consider asking or making part of his risk management and compliance efforts from others who have been through the process before.

I was also intrigued by the benefits Censinet offered to vendors. Every vendor knows how miserable the compliance and risk management process can be. On Censinet, a vendor can take a completed risk assessment for one organization and share it with multiple healthcare organizations. Obviously, they can control who sees the assessment and can answer any custom requirements from an organization. However, the bulk of the previously done risk assessment can just be shared with as many organizations as they want.

What I loved even more was that these risk assessments weren’t just one and done. We all know that the threat landscape is always changing and new software is getting released regularly. In Censinet, vendors can update any assessment changes in real-time based on and patches or upgrades that happen to the software. That way the healthcare organizations are all updated with the latest risk assessment info without having to go back and dig up that spreadsheet from their file storage system.

Needless to say, I was impressed by what Censinet has accomplished. It really is a simple idea that provides a lot of value to healthcare organizations. Plus, it standardizes a tedious and challenging process and streamlines it as much as possible for both healthcare organizations and vendors.

The only bad news for Censinet is that if they’re doing a good job, we won’t hear anything about it. The risks will be mitigated and tracked appropriately and CIOs will sleep a little better at night.

This article was originally published on Healthcare IT Today by John Lynn

More Censinet News

Digital Marketing Manager

Censinet is the leading provider of healthcare IT risk solutions. Censinet RiskOps, our software-as-a-service platform, helps the top healthcare providers in the United States work with their worldwide vendor and supplier community to ensure that health information is protected and continuous... READ MORE
Healthcare Investments Image

Investing in Healthcare Cybersecurity in 2022

As 2021 comes to an end, Healthcare IT leaders begin to prepare and discuss their organization’s investment plans for the upcoming year. As an industry, the increasing number of healthcare data breaches and cyberattacks have (1) highlighted the need for better patient, data, and supply chain... READ MORE

Log4j: Meet the new zero-day, same as the old zero-day

What is the Log4j issue? The Apache Log4j 2 utility is a commonly used service component for logging requests for audit and review purposes. Log4J, written in Java, supports many projects, including multiple cloud services and various open-source and commercial enterprise products.  On December 9,... READ MORE

Discover What You Can Do

Discover What You Can Do

Let's chat about your priorities, what your process is like today, areas that you want to improve, and any gaps you would like to close. Learn More