In this regulatory and security centric healthcare environment, Hospital networks and healthcare providers are becoming more scrutinized than ever by government regulators about how organizations manage and evaluate risks of the vendors, suppliers and contractors in their supply chain. Understanding how these regulations connect to third-party vendor risk is paramount to ensuring compliance, but also recognizing the vital importance of reducing and managing potential vendor risk to the organization as well.
Healthcare organizations need to clearly define, categorize, and continually assess a range of risks across their extended third-party vendor relationships. This includes cybersecurity risk, sanctions, litigation, judgments, liens, privacy, criminal records, licensing, etc. Regardless of the complexity of the supply chain or size of the healthcare organization– vendor risk management programs are facing similar challenges due to inefficient system frameworks and processes that lack the proper understanding into detailed vendor risk exposure across the healthcare enterprise.
As hospitals increasingly become more dependent on third party vendors to provide critical products and services, the need for vendor risk management increases exponentially. While outsourcing is an acceptable and widely used business strategy, it is essential to realize that third-party vendors frequently access hospital data, facilities, and patients’ personal information.
When it comes to third party vendors, the risks can be significant. The regulatory, legal, financial, and reputational impacts can be devastating if a third-party vendor fails to meet compliance requirements, disregards safety standards or mismanages private and confidential data.
It is interesting to consider, The average hospital has more than 1,300 vendors, many of which have the potential to do severe damage to the healthcare operations, patients, and reputation. While cybersecurity protection and patient privacy are top of mind for everyone, virtually every clinical process has inherent risks. Most hospitals do not review the security practices of each of their vendors on an annual basis. In fact, in a recent hospital survey, barely more than one in four say they conduct vendor assessments for all their vendor partners.
Rising Costs of Healthcare Data Breaches
The IBM Security 2021 Cost of a Data Breach Report states that healthcare data breaches are the costliest of all cybersecurity incidents, with the average cost increasing by $2 million to $9.42 million per incident. Ransomware attacks cost an average of $4.62 million per incident. It is interesting to consider and to assume that if the vendor has a data breach, the vendor is liable. It’s not that simple. If the contract is structured correctly and the vendor is adequately insured, the cost of mitigation may be covered. Also, insurance coverage often proves insufficient, resulting in shifting mitigation costs to the healthcare provider.
Cost is only part of the problem. Along with the financial costs, healthcare providers can suffer reputational damage and loss of patient trust. While HIPAA addresses the matters of patient privacy and data, other types of vendor risk can seriously impact your organization if left unchecked.
When a hospital does not manage and evaluate its vendors adequately, they open their organization up to considerable risk. Healthcare systems need to balance the usefulness of a product or services with the risks it can pose, as well as tread more cautiously than in other industries: greater privacy and security restrictions mean that sharing data with vendors or hosting information in the cloud warrants greater scrutiny and oversight.
More importantly, when it comes to vendor-provided health and medical services, insufficient or failed delivery can decrease the quality of patient care, jeopardize patient health, or even result in loss of life.
Changing Healthcare Regulations for Vendor Risk Management
The Health Insurance Portability and Accountability Act (HIPAA) was initially passed into law in 1996, but over the past two decades, it has grown into a considerable regulatory burden for healthcare organizations. The intention of HIPAA is to drive efficiency, protect privacy and health information, and ensure that patients are notified if their PHI (protected health information) and PII (personally identifiable information) is breached. These data breaches often occur in third-party vendor relationships.
HIPAA dictates that electronically stored PHI that an organization creates, receives, and/or maintains must be protected against emerging risks and threats. The HIPAA Security Rule laid out rules for security standards, which included technical and administrative protections that need to be applied internally, but also addressed in third-party vendor relationships. HIPAA became more of a concern with the passage of The Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH is focused on the adoption and meaningful use of health information and technology, with a specific focus, in Subtitle D, on the privacy and security concerns associated with the electronic transmission of health information. The challenge is that the transmission and processing of this data often involves and relies on third-party vendor relationships. HITECH’s provisions strengthen the civil and criminal enforcement of the HIPAA rules.
Data breaches are an example of a serious risk in healthcare that deeply concerns executives throughout the industry. Vendors with access to the organizations’ personally identifiable information PII and PHI inherently expose the organization to critical risks.
As a result of HITECH regulation and other technological innovations over the past decade, healthcare is becoming more adaptable to new compliance and cybersecurity requirements. The reliance on vendors in healthcare to achieve compliance and deliver the best care possible is necessary, which raises the critical importance of the technical and data protection requirements seen in HITECH – but also greatly increases the risk profile of vendor relationships.
A strong vendor risk management program is vital to the overall strength of the organization because it allows management to understand exactly where, and how valuable data is exposed. It is vital that healthcare organizations gain comprehensive visibility into a third-party vendor’s cybersecurity practices and record of breaches to understand any potential avenue for exposure of PHI/PII.
To develop this visibility, vendor risk management staff should conduct vendor risk assessments and also due diligence risk scoring and reporting in third-party relationships to get a complete understanding of all vendor risk factors.
Once an effective program is developed, critical functions such as procurement, compliance and ethics, privacy and information security need to develop a collaborative strategy and approach that C-suite executives’ support. Together they must promote the importance and necessity of vendor risk management to engage departments cross-functionally.
With better governance and a strong third-party vendor risk management program. Strong governance has clear benefits in reducing risk with increased transparency, better alignment to strategy, and consistent regulatory compliance.
Healthcare organizations can reduce their overall third-party risk profile by integrating third-party risk technologies and operational processes to evaluate vendors with powerful due diligence analysis and continuous risk management monitoring throughout the organization.
Managing third-party vendor risk is an ongoing process. It is about prevention rather than responding to adverse incidents as they occur. There are tremendous benefits to be gained from embracing the extended enterprise, and today’s competitive business environment demands it. All Healthcare organizations need to be proactive with their Third-Party Vendor Risk Management program strategy.
Making risk-based decisions on whether to engage a vendor requires reliable, consistent information related to a vendor’s profile, the types of risks, the performance and stability of each vendor and overall risk exposure of the relationship. This is essential for understanding and mitigating risk in each vendor relationship and across the supply chain of the healthcare organization.
Modevity provides the end-to-end Vendor Risk Management Services to help your organization gain visibility and actionable real-time risk scoring, reporting and assessments into all vendor risks throughout the supply chain.
Company Contact Information:
Thomas J. Canova
Co-Founder, CMO
Modevity, LLC 610-251-0700
tomc@modevity.com www.modevity.com