Electronic Healthcare Records , Governance & Risk Management
Why Healthcare Orgs Must Prioritize 3rd-Party Risk ManagementVenminder CEO James Hyde on Reducing Risk Exposure From Vendor Relationships
Every day, we hear about new data breaches in the healthcare industry. With breaches on the rise and the average cost of a healthcare breach reaching a staggering $10.1 million in 2022, it’s no surprise that third-party risk management is a growing concern in the healthcare industry.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
To ensure a secure environment, regulators such as the Office for Civil Rights, Centers for Medicare and Medicaid Services, and the Office of the National Coordinator for Health Information Technology stress the importance of managing third parties to whom healthcare organizations outsource products and services.
The Primary Guidelines in Healthcare
The good news is that there are guidelines to explain how healthcare organizations should manage third parties. The two principal guidelines are the Health Insurance Portability and Accountability Act and the Health Insurance Trust Alliance. Here is a brief overview:
- HIPAA requires sensitive data protection. This means that a patient's health information, such as medical records, can't be disclosed without their consent or knowledge. But for business associates - vendors with access to PHI - who have obtained satisfactory assurance that patient information will not be misused, the HIPAA Privacy Rule permits covered organizations to share protected health information – PHI – with business associates that have validated information safeguards, or controls, to protect patient information. These controls may be validated by HITRUST certification or other means.
- HITRUST is a healthcare-specific security framework used by HITRUST-qualified organizations and individuals to manage data, information risk, and compliance properly. With a HITRUST certification, a third party can prove they have met requirements in the HITRUST cybersecurity framework or CSF, such as HIPAA.
Prioritizing Third-Party Risk Management in Healthcare
With so many third parties involved in the healthcare industry, risks have increased substantially. Third parties often have access to sensitive information, such as electronic health records - EHRs, patient billing, and overall patient communications, which can easily expose sensitive information if breached. What are the consequences of exposing organizational or patient data? Ultimately, your financial viability takes a hit because patient trust is lost, your reputation is compromised, customers may leave your organization, and your reputation is compromised.
- The question is: How can a healthcare organization reduce its risk exposure and potentially avoid the consequences that can result from its vendor relationships?
- The answer is: Practice effective third-party risk management.
How to Prioritize Third-Party Risk Management
As a first step in prioritizing third-party risk management, an organization must understand and apply the third-party risk management life cycle to all its vendors. This means having the right processes to identify, assess and manage vendor risk across the three life cycle stages: onboarding, ongoing and offboarding.
- Onboarding vendors: First, it's essential to identify the inherent risk and criticality of the relationship. Once the risks are identified, the vendor must undergo due diligence, which involves collecting and reviewing the vendor's documents to verify that they are a legitimate business entity with a good reputation and to confirm they have appropriate risk controls. These activities must take place before you sign the contract.
- Ongoing - monitoring: Once the contract is signed, it doesn't mean the work is finished. Remember that a vendor's risk can fluctuate, so it's important to practice ongoing monitoring. Formal, periodic risk reassessments and due diligence should be standard practice to identify new, emerging or changing risks. It's also essential to constantly monitor the vendor's risk and performance and reevaluate the contract well before any renewals.
- Offboarding vendors: Terminating a vendor contract should be part of a formal, structured process. This usually involves notifying the vendor that the contract will not be renewed, executing a preplanned exit strategy and paying final invoices.
3 Benefits of Prioritizing Third-Party Risk Management
Even though third-party risk management is challenging, the benefits make it worth the effort. Prioritizing third-party risk management can benefit healthcare organizations in the following ways:
- Patients are kept safe. One of the most valuable benefits, patient safety, should be one of the largest motivators for effective third-party risk management. A robust program can protect your patients from modern threats, such as the loss or misuse of their personal health data or compromised medical devices.
- Data protection is a top priority. With the help of a third-party risk management program, your organization and its vendors will be more aware of the importance of data protection. Data protection goes beyond awareness when you implement structured third-party risk management, which includes formal assessments and reviews of your vendor's information security practices.
- There is less risk of costly data breach consequences. The consequences of data breaches can be expensive. Regulatory fines and penalties and increases in your cybersecurity insurance premium and patient data monitoring services are all costs that can be avoided through third-party risk management.
Creating an effective third-party risk management program takes time and effort but is worthwhile. Robust third-party risk management practices can keep your patients safe and potentially prevent costly and damaging scenarios from happening in the first place. For today's healthcare organizations, third-party risk management should be a top priority.
To learn more about third-party risk management, visit Venminder's resources library and blog and register for its CPE credit eligible webinars.