Venminder CEO James Hyde on Decreasing Danger Publicity From Vendor Relationships
James Hyde •
January 25, 2023
On daily basis, we hear about new information breaches within the healthcare trade. With breaches on the rise and the typical price of a healthcare breach reaching a staggering $10.1 million in 2022, it is no shock that third-party danger administration is a rising concern within the healthcare trade.
SeeAlso: Dwell Webinar | Navigating the Difficulties of Patching OT
To make sure a safe atmosphere, regulators such because the Workplace for Civil Rights, Facilities for Medicare and Medicaid Companies, and the Workplace of the Nationwide Coordinator for Well being Data Know-how stress the significance of managing third events to whom healthcare organizations outsource services and products.
The Main Tips in Healthcare
The excellent news is that there are tips to elucidate how healthcare organizations ought to handle third events. The 2 primary tips are the Well being Insurance coverage Portability and Accountability Act and the Well being Insurance coverage Belief Alliance. Here’s a transient overview:
- HIPAA requires delicate information safety. Which means a affected person’s well being data, akin to medical data, cannot be disclosed with out their consent or data of it. However for enterprise associates – distributors with entry to PHI – who’ve obtained passable assurance that affected person data is not going to be misused, the HIPAA Privateness Rule permits coated organizations to share protected well being data – PHI – with companies which can be HITRUST-qualified.
- HITRUST is a healthcare-specific safety framework utilized by HITRUST-qualified organizations and people to handle information, data danger, and compliance correctly. With a HITRUST certification, a 3rd social gathering can show they’ve met necessities within the HITRUST cybersecurity framework or CSF, akin to HIPAA.
Prioritizing Third-Get together Danger Administration in Healthcare
With so many third events concerned within the healthcare trade, dangers have elevated considerably. Third events usually have entry to delicate data, akin to digital well being data – EHRs, affected person billing, and total affected person communications, which may simply expose delicate data if breached. What are the implications of exposing organizational or affected person information? Finally, your monetary viability takes a success as a result of affected person belief is misplaced, your repute is compromised, clients could go away your group, and your repute is compromised.
- The query is: How can a healthcare group cut back its danger publicity and doubtlessly keep away from the implications that may end result from its vendor relationships?
- The reply is: Follow efficient third-party danger administration.
Easy methods to Prioritize Third-Get together Danger Administration
As a primary step in prioritizing third-party danger administration, a corporation should perceive and apply the third-party danger administration life cycle to all its distributors. This implies having the appropriate processes to establish, assess and handle vendor danger throughout the three life cycle phases: onboarding, ongoing and offboarding.
- Onboarding distributors: First, it is important to establish the inherent danger and criticality of the connection. As soon as the dangers are recognized, the seller should bear due diligence, which entails gathering and reviewing the seller’s paperwork to confirm that they’re a authentic enterprise entity with a superb repute and to verify they’ve applicable danger controls. These actions should happen earlier than you signal the contract.
- Ongoing-monitoring: As soon as the contract is signed, it does not imply the work is completed. Keep in mind that a vendor’s danger can fluctuate, so it is vital to follow ongoing monitoring. Formal, periodic danger reassessments and due diligence ought to be commonplace follow to establish new, rising or altering dangers. It is also important to continually monitor the seller’s danger and efficiency and reevaluate the contract nicely earlier than any renewals.
- Offboarding distributors: Terminating a vendor contract ought to be a part of a proper, structured course of. This normally entails notifying the seller that the contract is not going to be renewed, executing a preplanned exit technique and paying closing invoices.
3 Advantages of Prioritizing Third-Get together Danger Administration
Regardless that third-party danger administration is difficult, the advantages make it definitely worth the effort. Prioritizing third-party danger administration can profit healthcare organizations within the following methods:
- Sufferers are stored secure. One of the vital useful advantages, affected person security, ought to be one of many largest motivators for efficient third-party danger administration. A strong program can shield your sufferers from fashionable threats, such because the loss or misuse of their private well being information or compromised medical gadgets.
- Knowledge safety is a prime precedence. With the assistance of a third-party danger administration program, your group and its distributors can be extra conscious of the significance of knowledge safety. Knowledge safety goes past consciousness whenever you implement structured third-party danger administration, which incorporates formal assessments and opinions of your vendor’s data safety practices.
- There’s much less danger of expensive information breach penalties. The implications of knowledge breaches might be costly. Regulatory fines and penalties and will increase in your cybersecurity insurance coverage premium and affected person information monitoring companies are all prices that may be prevented by third-party danger administration.
Creating an efficient third-party danger administration program takes effort and time however is value whereas. Strong third-party danger administration practices can hold your sufferers secure and doubtlessly stop expensive and damaging situations from taking place within the first place. For right this moment’s healthcare organizations, third-party danger administration ought to be a prime precedence.
To be taught extra about third-party danger administration, go to Venminder’s assets library and weblog and register for its CPE credit score eligible webinars.