Third-Party Risk in Healthcare
When it comes to vendor risk management in healthcare, regulators increasingly emphasize how health providers manage the vendors and contractors that help them carry out healthcare activities. Understanding how these regulations connect to third-party risk is paramount to ensuring compliance.
Healthcare organizations need to clearly define, categorize and assess a range of risks across their extended third-party relationships. This includes privacy risks, security, due diligence and conduct, licensing and credentialing of physician contracts and the management of non-physician contracts. Further, the organization must oversee resilience management and the continuity of relationships that impact critical healthcare services to ensure the viability of each third-party relationship.
Regardless of the size of the vendor risk management program, be it a small healthcare facility or a large hospital with thousands of beds – or even advanced medical equipment and research centers – vendor risk management programs are facing similar challenges due to an inefficient framework, on top of tools and processes that lack the proper insight into vendor risks across the healthcare organization. In an ever-evolving landscape of relationships, including the data and processes that span these relationships, information security, compliance requirements and growing digital threats make it increasingly essential for organizations to stay aware of industry best practices and standards for vendor risk management. Healthcare organizations must first gain clarity on the regulatory landscape facing them today.
Changing Healthcare Regulations for Vendor Risk Management
The Health Insurance Portability and Accountability Act (HIPAA) was initially passed into law in 1996, but over the past two decades, it has grown into a considerable regulatory burden for healthcare organizations. The intention of HIPAA is to drive efficiency, protect privacy and health information, and ensure that patients are notified if their PHI (protected health information) and PII (personally identifiable information) is breached. These data breaches often occur in third-party vendor relationships.
HIPAA dictates that electronically stored PHI that an organization creates, receives, and/or maintains must be protected against emerging risks and threats. The HIPAA Security Rule laid out rules for security standards, which included technical and administrative protections that need to be applied internally, but also addressed in third-party vendor relationships. HIPAA became more of a concern with the passage of The Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH is focused on the adoption and meaningful use of health information and technology, with a specific focus, in Subtitle D, on the privacy and security concerns associated with the electronic transmission of health information. The challenge is that the transmission and processing of this data often involves and relies on third-party vendor relationships. HITECH’s provisions strengthen the civil and criminal enforcement of the HIPAA rules.
Data breaches are an example of a serious risk in healthcare that deeply concerns executives throughout the industry. Vendors with access to the organizations’ personally identifiable information PII and PHI inherently expose the organization to critical risks.
The Ponemon Institute and IBM conducted their annual report on The Cost of a Data Breach that demonstrated the enormous costs of a data breach in healthcare. The study showed that an average third-party breach across industries is $3.92 million; however, the average cost of a data breach in healthcare specifically costs the organization $7.13 million.
The study also noted, “Despite the number of publicized data breaches throughout the U.S., there continues to be a significant lack of confidence and understanding within companies as to whether their security posture is sufficient to respond to a data breach or cyberattack. Companies also need to do more than depend on business associate agreements to ensure that consumer information is protected. Business should perform audits and assessments with vendors.”
Tips for Managing Third-Party Risk for Healthcare Organizations
As a result of HITECH regulation and other technological innovations over the past decade, healthcare is becoming more approachable. The reliance on vendors in healthcare to achieve compliance and deliver the best care possible is necessary, which raises the critical importance of the technical and data protection requirements seen in HITECH – but also greatly increases the risk profile of vendor relationships.
A strong vendor risk management program is vital to the health of your organization because it allows you to understand exactly where and how valuable data is exposed. IT security company SecurityScorecard recommends that healthcare organizations gain comprehensive visibility into a third-party vendor’s cybersecurity practices to understand any potential avenue for exposure of PHI/PII.
To develop this visibility, vendor risk management staff should conduct vendor risk assessments and due diligence in third-party relationships to monitor adherence to contractual requirements and control structures.
Once an effective program is developed, critical functions such as procurement, compliance and ethics, privacy and information security need to develop a collaborative strategy and approach that C-suite executives support. Together they must promote the importance and necessity of vendor risk management to engage departments cross-functionally.
ProcessUnity Vendor Risk Management for Healthcare Organizations
Most organizations are fully aware of the information security risk posed by vendors in healthcare – many even admit that their current processes may be ineffective or inefficient. The problem often lies in manual processes encumbered by hundreds to thousands of documents, spreadsheets and emails. Vendor risk management programs tend to get tied up in managing and reconciling documents, pulling resources away from truly managing the risk in these relationships. An automated vendor risk management solution can streamline this process to alleviate this burden on the program.
ProcessUnity Vendor Risk Management centralizes important data to help your organization gain visibility into vendor risk. Making risk-based decisions on whether to engage a vendor requires reliable, consistent information related to a vendor’s profile, the types of risks in the relationship, the performance and stability of the relationship, the critical nature of the relationship, the policies and procedures that govern each relationship, and the practices and overall risk exposure of the relationship. This is essential for understanding and mitigating risk in each relationship and across the relationships of the healthcare organization.
To learn more about how an automated Vendor Risk Management solution can strengthen your program, visit our product page.