Separating Yourself from Your Peers
The OCR portal on breaches shows that more individuals were impacted by breaches in the first half of 2019 than all of last year. With trend lines continuing to rise, it is crucial that healthcare providers understand risk vulnerabilities in order to better manage assessment processes and reduce the likelihood of a breach.
Healthcare CIOs, CISOs and other IT and security professionals have several potential points of compromise to monitor, as threats to their organizations can come in many forms. Recently, the HHS 405(d) Task Group published the Health Industry Cybersecurity Practices (HICP) guide identifying five top critical threats and attacks including email phishing, ransomware, equipment loss and theft, data loss, and connected medical devices. It has become nearly a daily occurrence to read news headlines announcing yet another provider has suffered a breach due to one of these areas of vulnerability, however, rising in the spotlight is an alternative entry point introducing risk to providers – third-party vendors.
According to the 2019 HIMSS Cybersecurity Survey, vendors pose a great risk to the healthcare providers they service, as 68 percent experienced a significant security incident in 2018. In a domino effect, many of these vendors unintentionally exposed the providers they work with, as was the case with the recent breach of the American Medical Collection Agency (AMCA), in which ripple effects impacted 24.3 million patients.
It’s crucial that providers understand the risk third party suppliers put their patients and overall business in, and the financial and business impact of ineffective third-party risk management.
Vendor Risk is Incredibly Costly and Inefficiently Managed
Recently released research, “The Economic Impact of Third-Party Risk Management in Healthcare,” analyzed the results of a survey of healthcare IT and security professionals involved in managing their organizations’ vendor risk management programs (VRMP). According to the findings, the yearly hidden costs of managing vendor risk is $3.8 million per healthcare provider, far surpassing the $2.9 million that each data breach costs providers. In total, the indirect and direct costs of third-party risk management across the healthcare industry is $23.7 billion per year.
The research also identified that 56 percent of healthcare organizations experienced a data breach introduced by one or more third-party vendors in the last two years. These breaches occurred as a result of inefficient third-party risk management programs. Some of the most startling findings that support this identified that:
- Most organizations do not find the information from vendor assessments valuable.
- Vendor risk management controls and practices are only partially deployed or not deployed at all.
- Organizations are not allocating sufficient budget to have an effective vendor-risk management program.
- Organizations are not requiring remediation or disqualification when an assessment reveals security gaps.
- Only one-third of healthcare organizations automate most of their vendor assessment programs.
Mitigating Third-Party Vendor Risk
Healthcare providers must begin to implement better, more cost-effective solutions to third-party risk management. This is why many have started utilizing online platforms to modernize the risk assessment process and manage all vendors in their third-party ecosystem in one network with immediate access to risk profiles and risk ratings. Advancing technology allows providers the opportunity to digitize risk assessments and create a more collaborative, real-time process, improving visibility for providers and their vendors or suppliers, so that they can identify and improve areas of risk before they lead to a potential breach.
Reducing the time it takes to assess vendor risk from weeks to minutes is a critical advantage in today’s cybersecurity landscape, as the number of breaches only continues to rise in number of occurrences, impacting associated vendors, providers, and patients. By understanding what is at stake, identifying areas of vulnerabilities, and utilizing technology available to mitigate this risk, providers can help to protect themselves by improving and automating their third-party vendor risk management processes. Automation not only saves providers money and time by reducing manual effort, it reduces risk so they don’t end up alongside their peers on the ever-expanding OCR portal.
This article was originally published on AEHiS.org on October 1, 2019. Written approval from CHIME must be received in order to repost.