Vendor Risk Management in Healthcare ––What It Is and Why It Matters

The following is a guest article by Brian Selfridge, Healthcare Cybersecurity & Risk Leader at CORL Technologies.

In 2023, healthcare organizations face an impossible paradox. On the one hand, they have no choice but to rely on third-party vendors––the ongoing digitization of healthcare would be impossible without them. On the other hand, these vendors have shown themselves to be highly vulnerable to attack, with ransomware and other breaches drastically impacting the ability of some health organizations to function effectively. Worse, these attacks are sometimes threatening patient safety, and causing regulatory non-compliance with HIPAA because of lost or stolen data.

The problem is worse than you might realize. No industry is immune to harm from cyberattacks, but healthcare has been hit particularly hard: according to a recent report from the Identity Theft Research Center, no other industry has experienced as many breach events in the last two years.

For this very reason, healthcare vendor risk management programs have taken on a new importance in recent years. While long-established in fields like finance, these kinds of technologies (like vendor risk management (VRM) technology, workflow automation, and vendor assessment clearinghouses and exchanges) are a relatively new phenomenon in the healthcare field. Below, we’ve assembled a quick guide to how VRM technology works and why it’s quickly gaining traction in the healthcare field.

What is VRM and How Does it Work?

Back when sensitive patient information was stored in physical files, healthcare organizations only had to worry about the (rare) physical break-in. Today––when third-party vendors store or manage infinite reams of Protected Health Information (PHI) and other sensitive data––the range of potential threats has increased exponentially.

This is why VRM is so important. It can take a wide variety of forms, but some of its most essential technological components include making sure assessment data (and supporting evidence) is exchanged efficiently (for instance, through automated vendor questionnaire technology); automated risk scoring, vendor tiering, and decision support; risk findings tracking and remediation capabilities (e.g. risk registers); workflow automation; and reporting and data visualization.

Of course, a high-performing VRM program involves a number of important factors beyond the technology itself. Vendor inventories need to be continually updated, and tiered based on criticality, impact and compliance exposure. Vendors who require remediation need to be prioritized, and that remediation activity needs to be tracked over time. Key performance indicators (KPIs), key risk indicators (KRIs), and service-level agreements (SLA) need to be vigorously and continually tracked. And––because the worst-case scenario can’t always be kept at bay, even with a quality VRM program in place––relevant parties need to prepare and practice communication plans to customers should a supply chain incident ever occur.

Working with Third-Party Vendors to Effect Remediation

So you’ve got a VRM program in place and you’ve identified a risk in one of your vendors. What happens next?

The process, unfortunately, is not automatic. Organizations that spot a risk must work on their own to drive the third-party vendor to remediate the issue in question. This is, of course, as important (if not more important) than identifying the risk in the first place––because a risk identified but not remediated is not of much value to anyone.

The name of the game here is prioritization. The National Institute of Standards in Technology’s 800-53 cybersecurity standard and compliance framework has hundreds of controls––it might not be reasonable to expect high maturity ratings in every single one. Instead, it might be worth lasering in on a subset of critical controls––for instance, a vendor’s vulnerability management and patching program, or its incident response plans.

It’s important, as well, to make sure you have a support model and communication plan in place: this should ideally be a bi-directional process, with expectations properly set on both sides around timeframe, escalation points, etc.

The Legal Side of VRM Programs

Failure to implement a quality VRM program and to work on remediation with third-party vendors opens healthcare organizations to intolerable quantities of risk. The primary risk, of course, is to patient data and security, but the secondary risks are painful as well––non-compliance with the various regulatory standards around VRM can lead to a tremendous amount of legal risk.

There are a few practical steps related to VRM programs that organizations can take to reduce their degree of legal exposure. These include updating contracts with vendors to include security requirements, defining specific Service Level Agreements (SLAs) and including them in contracts, and defining breach notification requirements as well as communication expectations for breach events.

Thorough VRM isn’t easy––nothing in healthcare ever is. But if patients are to be assured that their information is safe, healthcare organizations need to work proactively to implement it, enlisting the help of cybersecurity professionals and continually prodding third- and fourth-party vendors to effect the relevant changes. We can be wistful for the old times, when bad actors would have to physically break in to get access to patient paperwork; but we cannot delude ourselves about the risks at play today. Working proactive to lower those risks needs to be a top priority for healthcare organizations.

   

Categories