How health organizations can effectively manage third-party risk
Stephen] Why is there so much interest in third-party risk management going into the year 2020?
[Jigar] There’s been a lot of incidents with regards to third parties, both directed third parties and other third parties, tertiary folks. And in the healthcare space, third parties are a critical avenue in the supply chain function, and they conduct a lot of business on behalf of hospital systems, both from a system perspective and from an IT perspective. Many rely on third parties for niche solutions, skills, etc. And they are important and critical cogs in processing of data. And every time there’s a breach, whether it’s one that you’re familiar with or a different one that you’re not using, it just escalates the need to make sure our critical third parties are secure, safe, and they have a plan for business continuity.
A lot of the third parties that I’ve seen in the paper recently, they are small organizations with no business continuity or disaster planning in place. So, if they have a virus, a ransomware attack, their systems go down and it impacts us because we’re using them for critical business operations, both from a hospital perspective and from an IT perspective.
[Stephen] What are some ways that the healthcare providers watching HIMSS TV can begin to better manage their third-party risk and to work with their third parties?
[Jigar] First things first, they have to have an inventory of their third parties. They need to determine which third parties are the most critical, prioritize those, and then go do some type of assessment to make sure their third party has the tools, processes, procedures in place, where you feel comfortable. Whether it’s a risk assessment or a feasibility analysis, something where you feel comfortable with them and you’re okay with whatever their approach is.
[Stephen] How does Censinet differ from other products on the market today? Like what’s unique about it?
[Ed] Yes, we take a different approach fundamentally. So, we believe the way to solve the problem is to connect the providers, with their supply chain of vendors. And have that transaction done in real time versus sending out questionnaires via Excel spreadsheets or Word documents or PDFs. We believe doing that online and enabling the vendor to do the right thing and do it one time, but share those results and share the evidence with the provider community at any point in time, is the way to go. Both sides benefit.
The providers can get their assessments done in a much faster time. Where we’re seeing averages today, before Censinet, somewhere in the eight to twelve weeks, we’re getting assessments done in less than five days. Also the accuracy and the quality of the assessments is really important as well. And you’re able to actually store and maintain that evidence now based on the responses to the questionnaires. That also is invaluable. So, you can correlate the responses with the actual evidence that’s provided on behalf of that third-party vendor.
[Stephen] Why are healthcare providers using Censinet?
[Jigar] One, it’s healthcare provider-only. Two, a number of healthcare providers helped create it. And three, I don’t know if it’s healthcare providers or the healthcare industry, but there seems to be a lot of sharing, and we’re all facing the same issues as it relates to third parties.
[Stephen] How is Censinet helping these providers achieve their goals? What are the benefits?
[Jigar] A consolidated platform for workflow for third-party risk assessments, scoring data, vendors that proactively are a part of the system. If I’m going to use a vendor and they’re already part of Censinet, then I don’t have to redo all the work. That saves man-hours and time from my team as well as from the third party themselves.
[Stephen] What are your predictions in 2020 for the risk management space?
[Ed] I think this will be the year of risk management. I think more than ever, there’s a lot of investment being made in this space. There are a lot of new companies and a lot of new vendors coming at this problem, trying to solve the problem. Again, we think creating the collaborative risk network is the way to do that, and that’s Censinet’s approach. But there are other approaches too and some of them are pretty recent. And some of them, again, are based on these old assumptions that, you know, you can spend a year and wait until a reassessment is done.
We don’t believe that. We believe in the continuous monitoring and the reassessment of a vendor. We think that’s the way to do it, and we think also you get more coverage of your vendors across your supply chain by doing it that way.