Industry Insights with James Hyde

Electronic Healthcare Records , Governance & Risk Management

Why Healthcare Orgs Must Prioritize 3rd-Party Risk Management

Venminder CEO James Hyde on Reducing Risk Exposure From Vendor Relationships
Why Healthcare Orgs Must Prioritize 3rd-Party Risk Management

Every day, we hear about new data breaches in the healthcare industry. With breaches on the rise and the average cost of a healthcare breach reaching a staggering $10.1 million in 2022, it’s no surprise that third-party risk management is a growing concern in the healthcare industry.

See Also: The Cybersecurity Swiss Army Knife for Info Guardians: ISO/IEC 27001

To ensure a secure environment, regulators such as the Office for Civil Rights, Centers for Medicare and Medicaid Services, and the Office of the National Coordinator for Health Information Technology stress the importance of managing third parties to whom healthcare organizations outsource products and services.

The Primary Guidelines in Healthcare

The good news is that there are guidelines to explain how healthcare organizations should manage third parties. The two principal guidelines are the Health Insurance Portability and Accountability Act and the Health Insurance Trust Alliance. Here is a brief overview:

  • HIPAA requires sensitive data protection. This means that a patient's health information, such as medical records, can't be disclosed without their consent or knowledge. But for business associates - vendors with access to PHI - who have obtained satisfactory assurance that patient information will not be misused, the HIPAA Privacy Rule permits covered organizations to share protected health information – PHI – with business associates that have validated information safeguards, or controls, to protect patient information. These controls may be validated by HITRUST certification or other means.
  • HITRUST is a healthcare-specific security framework used by HITRUST-qualified organizations and individuals to manage data, information risk, and compliance properly. With a HITRUST certification, a third party can prove they have met requirements in the HITRUST cybersecurity framework or CSF, such as HIPAA.

Prioritizing Third-Party Risk Management in Healthcare

With so many third parties involved in the healthcare industry, risks have increased substantially. Third parties often have access to sensitive information, such as electronic health records - EHRs, patient billing, and overall patient communications, which can easily expose sensitive information if breached. What are the consequences of exposing organizational or patient data? Ultimately, your financial viability takes a hit because patient trust is lost, your reputation is compromised, customers may leave your organization, and your reputation is compromised.

  • The question is: How can a healthcare organization reduce its risk exposure and potentially avoid the consequences that can result from its vendor relationships?
  • The answer is: Practice effective third-party risk management.

How to Prioritize Third-Party Risk Management

As a first step in prioritizing third-party risk management, an organization must understand and apply the third-party risk management life cycle to all its vendors. This means having the right processes to identify, assess and manage vendor risk across the three life cycle stages: onboarding, ongoing and offboarding.

  • Onboarding vendors: First, it's essential to identify the inherent risk and criticality of the relationship. Once the risks are identified, the vendor must undergo due diligence, which involves collecting and reviewing the vendor's documents to verify that they are a legitimate business entity with a good reputation and to confirm they have appropriate risk controls. These activities must take place before you sign the contract.
  • Ongoing - monitoring: Once the contract is signed, it doesn't mean the work is finished. Remember that a vendor's risk can fluctuate, so it's important to practice ongoing monitoring. Formal, periodic risk reassessments and due diligence should be standard practice to identify new, emerging or changing risks. It's also essential to constantly monitor the vendor's risk and performance and reevaluate the contract well before any renewals.
  • Offboarding vendors: Terminating a vendor contract should be part of a formal, structured process. This usually involves notifying the vendor that the contract will not be renewed, executing a preplanned exit strategy and paying final invoices.

3 Benefits of Prioritizing Third-Party Risk Management

Even though third-party risk management is challenging, the benefits make it worth the effort. Prioritizing third-party risk management can benefit healthcare organizations in the following ways:

  1. Patients are kept safe. One of the most valuable benefits, patient safety, should be one of the largest motivators for effective third-party risk management. A robust program can protect your patients from modern threats, such as the loss or misuse of their personal health data or compromised medical devices.
  2. Data protection is a top priority. With the help of a third-party risk management program, your organization and its vendors will be more aware of the importance of data protection. Data protection goes beyond awareness when you implement structured third-party risk management, which includes formal assessments and reviews of your vendor's information security practices.
  3. There is less risk of costly data breach consequences. The consequences of data breaches can be expensive. Regulatory fines and penalties and increases in your cybersecurity insurance premium and patient data monitoring services are all costs that can be avoided through third-party risk management.

Creating an effective third-party risk management program takes time and effort but is worthwhile. Robust third-party risk management practices can keep your patients safe and potentially prevent costly and damaging scenarios from happening in the first place. For today's healthcare organizations, third-party risk management should be a top priority.

To learn more about third-party risk management, visit Venminder's resources library and blog and register for its CPE credit eligible webinars.

About the Author

James Hyde

James Hyde

CEO, Venminder

James Hyde is Chief Executive Officer at Venminder , a globally recognized leader of third-party risk management software technology and solutions used by customers for the onboarding, ongoing management, offboarding, and risk management of vendors throughout their lifecycle. Hyde has been driving the vision, culture, and rapid growth at Venminder, as the company has now quickly amassed more than 1,200 customers from a wide range of diverse sectors including banking, insurance, technology, healthcare, and more. Prior to joining Venminder, Hyde worked with innovative and leading FinTech and SaaS companies where he focused on driving rapid and sustainable growth. Most recently, at mobile payments leader Braintree, Hyde was responsible for revenue growth as SVP of Sales and was instrumental in propelling their evolution from startup phase to one of the most successful payment processors in the world, now owned by PayPal.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.