Third-Party Vendor Risk Management is a Crucial Component of any Healthcare Organization’s Compliance & Risk Management Program

Vendor Risk Management as a Service

Hospital networks and healthcare providers are becoming more scrutinized than ever by government regulators about how organizations manage and evaluate Third-Party Risks of the vendors, suppliers, and contractors in their supply chain. Understanding how these regulations connect to third-party vendor risk is paramount to ensuring compliance, but also recognizing the vital importance of reducing and managing potential vendor risk to the organization as well.

It is alarming to see that the majority of the top ten largest healthcare data breaches reported to HHS in 2022 stemmed from third-party vendors, signaling a need for better Third-party Vendor Risk Management (VRM) practices in the industry.  The HHS Office for Civil Rights (OCR) in 2022. Has reported that the breaches collectively impacted more than 48.6 million individuals, compared to forty million in 2021.

Healthcare security experts and compliance management professionals know that improving this process is not an easy task. Healthcare organizations are constantly onboarding new vendors and conduct risk assessments in a process that is often manual and very time-consuming.

Current Vendor Risk Management strategies may need to implement additional new processes and solutions as the healthcare vendor ecosystem continues to expand.

Behind the scenes of any health system, a network of vendor relationships keeps the organization supplied with the materials and technologies they need to care for patients

“Third-party risk and supply chain risk are really interesting inside of the healthcare space, and that’s because of the diversity of the types of third parties and suppliers that healthcare organizations work with,” Alla Valente, senior analyst at Forrester, recently stated explained in an interview.

“There’s a whole physical supply chain of everything from saline bags to syringes to hospital gowns and all the other things that you need to be able to deliver patient care. Also, healthcare increasingly relies on technology for diagnostics and therapeutics.”

.In addition to medical device suppliers, cybersecurity vendors, and other services, Valente stated the importance of “non-traditional third parties.”

For example, a healthcare organization may utilize consulting medical professionals and visiting doctors that are not technically employees and they can also be classified as Third-Party vendors.

Also, large hospitals may operate research facilities that employ researchers, post-doctorates, and others who are technically not employed by the organization, but still have access to sensitive data.  In addition, nursing students, contractors, and other non-employees all would be considered third parties.

Processes for managing risk relating to non-traditional third-parties will naturally look different than managing vendor risk, but all of these parties must be considered carefully.  But at the same time, it is vital for the healthcare institution to begin to implement a robust VRM program for their vendors and suppliers first, then move on to the non-traditional third-parties.

Even as healthcare organizations continue to outsource key functions to third-party vendors, risk management remains a challenge.

In fact, 60 percent of surveyed healthcare organizations admitted that their third-party risk management and compliance strategies could use some improvements, Kiteworks revealed in a 2022 report.

There are several reasons why Third-Party Vendor Risk Management programs may not succeed in healthcare:

The lack of automation and reliance upon manual risk management processes makes it difficult to keep pace with cyber threats and the proliferation of digital applications and medical devices used in healthcare.

Vendor risk assessments are time-consuming and costly, so only a few organizations are conducting risk assessments of all vendors.

Critical vendor management controls and processes are often only partially deployed or not deployed. Also, it has been a growing trend that the number of vendors that deal with sensitive data has increased, leading to increased complexity when it comes to data stewardship, access management, and other considerations.

At the HIMSS Healthcare Cybersecurity Forum, held in Boston in December, panelists brought up similar concerns, citing the lengthy and time-consuming nature of managing third-party risk assessments on a transaction-by-transaction basis.

Valente pointed to the pandemic as a big catalyst for change in the TPRM space.

Now, a few years into the pandemic, healthcare organizations continue to expand their vendor ecosystems, new risks will certainly increase.  With the increase reliance on new suppliers and vendors , which means that every one of them is a conduit for possible risk exposure.”

Unfortunately, cyber criminals are not blind to this fact, leading to an increase in third-party data breaches.

It is of no surprise that over time, these cyber attackers has learned to make the most of each attack, pivoting to more profitable business models.  Ransomware, in particular, RaaS (ransomware as a service,) are business models that have ramped up over the last few years.  With the impact of third-party breaches doubling this year, understanding even a vendor’s basic cyber posture is an important part of the equation.”.

Researchers linked the increased number of victims to the domino effect that occurs when one third-party breach poses a risk to other connected vendors, also known as cascading risk. Specifically, the term as the “chain of causality that emerges when risk and accumulated vulnerabilities connect to increase the chance of attack.”

What’s more, unauthorized network access was the primary cause of the most third-party data breaches, setting off nearly 40 percent of the analyzed breaches. Ransomware was the second most cited cause for breaches, initiating 29 percent of attacks, a rate that has fallen slightly since 2021.

Ideally, as a best practice, the first thing Healthcare organizations need to do is have an accurate inventory of all of your third parties –  not just the software providers, not just the IT services providers, etc.  They all need to classify them into the technologies, the suppliers, and also these non-traditional relationships as well, because management needs understand where those sources of risks are.”

In addition to maintaining an accurate inventory, another best practice is organizations need conduct a thorough risk assessment prior to signing a contract.

The entire lifecycle of a third-party relationship also includes offboarding and de-provisioning, etc. It is important to communicate with security when a consultant no longer needs access to systems, for example, or when a vendor contract has ended.

Another key component of TPRM is implementing a robust background due diligence risk scoring and reporting on all vendors and continuous monitoring throughout the year!

Monitoring and vendor risk management automation can help organizations prioritize key risk management areas and know which vendors need to be reassessed and when.

As healthcare organizations continue to digitally transform and bring new third-parties on board, Vendor Risk Management (VRM) should remain top-of-mind. Improving and streamlining VRM may take time but can reduce risk overall.

Healthcare organizations need to clearly define, categorize, and continually assess a range of risks across their extended third-party vendor relationships. This includes cybersecurity risk, sanctions, litigation, judgments, liens, privacy, criminal records, licensing, etc.  Regardless of the complexity of the supply chain or size of the healthcare organization– vendor risk management programs are facing similar challenges due to inefficient system frameworks and processes that lack the proper understanding into detailed vendor risk exposure across the healthcare enterprise.

As hospitals increasingly become more dependent on third party vendors to provide critical products and services, the need for vendor risk management increases exponentially.  While outsourcing is an acceptable and widely used business strategy, it is essential to realize that third-party vendors frequently access hospital data, facilities, and patients’ personal information.

Modevity provides the end-to-end Vendor Risk Management Services to help your organization gain visibility and actionable real-time risk scoring, reporting and assessments into all vendor risks throughout the supply chain.

 Company Contact Information:

Thomas J. Canova
Co-Founder, CMO
Modevity, LLC  610-251-0700
tomc@modevity.com    www.modevity.com

Leave a Comment

Trusted partner since 2004.

Other Pages

Quick Links

Get the latest news & updates

Copyright © 2022 All rights reserved.