Why the Provider Community Needs a One-Stop Shop for Vendor Risk Management
The security risk posed by third-party healthcare vendors keeps Aaron Miri up at night. Miri is the CIO of Dell Medical School at the University of Texas at Austin and UT Health Austin and an evangelist for better healthcare vendor risk management solutions.
“Healthcare is the nexus point for every other industry in our country and in our world,” said Miri in a recent interview with healthcareinfosecurity.com. “That takes information flow, that takes patient care, that takes caregivers and that takes the actual patient data itself and interchanges among so many third parties across the entire landscape, not just within healthcare, but in clearinghouses and manufacturing.”
In the interview, Miri spoke about the security risks to healthcare providers and how the Censinet Platform helps his organization mitigate those risks. According to Miri, Censinet not only replaces inefficient manual processes with continuous monitoring and deep drill-down to detailed vendor information but more importantly, provides a central place where the community of healthcare providers and third-party vendors can collaborate and share critical risk information.
Third-Party Vendor Security Risks
Third-party vendor security risk is a real problem for healthcare providers. The US Office of Civil Rights (OCR), the government agency that regulates HIPAA compliance, the number of data breaches in the healthcare industry continue to increase. In March 2019 alone, there were 31 breaches reported to the OCR that compromised the personal health information of 883,759 people, an increase of 155% from the same period a year ago.
Third-party vendors are responsible for 50% of all data breaches. While data breaches threaten the privacy of patient health information and generate fines for providers and vendors, the more serious risk from third-party vendors is to patient care. Aaron Miri offered medical devices as one example of how patient care can be affected by third-party vendors.
“It is the devices that tend to have some sort of patient care interaction, whether they physically touch the patient or they’re in the actual care area such as a surgical suite,” said Miri. “I think everybody’s had the personal experience of updating your home computer and suddenly something runs afoul, and the device is unusable. The last thing you want is an operating room device to suffer that exact same circumstance.” While device vendors do tend to be very cautious, the devices themselves are the most vulnerable because they’re not updated or patched very often. “You can’t just turn them off at will and say let me update this thing; you have to work with the vendors to get those updated,” said Miri.
Foreign Espionage is Not Just in Spy Movies
When people think of foreign espionage, they usually conjure up images from a James Bond movie, but protecting healthcare data from foreign spies is actually a significant concern for healthcare providers, especially in a university setting.
Miri provided an example. One of UT Health Austin’s sister organization recently expelled three foreign scientists because they were caught trying to steal intellectual property. “We’re finding that there are a number of bad actors both physically present as well as remote that are trying to get into our data repositories and take the intellectual property, said Miri.
But foreign spies are also costing the healthcare industry a lot of money. In the interview, Miri spoke about these costs. The theft of patient data is worth 400 dollars a pop or so and growing every day in terms of value, he said. “You now have these academic medical centers and healthcare institutions around the world and literally if you put a valuation on all the data they have, it’s probably more than the amount of physical currency in process right now across the globe.”
Continuous Monitoring and Drill-Down in the Censinet Platform
Because CIOs like Aaron Miri are trying to manage risk for a growing list of third-party vendors, it’s critically important that they stay on top of the process, asking questions and understanding how they are mitigating risk with the medical devices suddenly entering into the system. To properly assess security and look at privacy, Miri said “we’d have to look at it on an annual, monthly and continuing basis, and that’s difficult.”
In the past, healthcare providers like Miri’s relied on manual processes to manage risk. “We used to have a small army of people crawling through pages and crawling through documentation, saying ‘hey, let’s figure out how XYZ vendor is doing today.’” That’s where the Censinet Platform comes in. Censinet is a cloud platform that provides continuous active monitoring and a centralized location in which to manage risk, so Miri can look at every vendor at any time to see how their risk is being managed, see the latest potential risk and quickly mitigate that risk.
Miri also talked about the importance of having access to the most detailed third-party vendor and product information and how Censinet allows him to do this. “The platform itself is designed to get all the way down to the minutiae of what the vendor is willing to share. You can drill all the way down into those specific alerts and even request further information or highlight areas about you want further clarification on.”
The Power of the Network Effect
When it comes to vendor risk management programs, Miri stressed the importance of ease of use, speed and the ability to take action. But to Miri, the most important aspect of the Censinet Platform is what he calls “the network effect.”
“The power of Censinet at the end of the day is the network effect – having more vendors and having more providers on it suddenly gets you a view of what is actually going on in the landscape,” he said. Miri and healthcare CIOs have little time to sift through tons of alerts or fields. They need a one-stop shop where the vendors can easily update their information and be centrally managed.”
Miri believes that healthcare organizations and vendors also must collaborate in order to properly manage risk. He pointed to the Censinet Platform’s ability to connect healthcare organizations so that they can share detailed information about a specific vendor product and its risk status. “We can quickly see from a laundry list who the good actors are versus those who had opportunities to grow, and we can make buying decisions based on it.”
Miri praised the “one-stop shop” advantage of Censinet. “We want this product but it’s just not up to snuff, you’ve got to do a, b and c and give fair feedback to the vendor community to say this is what we’re looking for to raise the game. You don’t want to just be pounding vendors on the head saying get better, get better, it’s got to be a constructive dialog, and that’s what Censinet was designed to do, to give you that one stop shop.”
Miri continued to stress how Censinet helps foster a community approach to vendor risk management solutions. “In the community itself, we’re looking at how to enable people to be able to use their personal devices and store their medical records numerous other ways of using patient data effectively. All of that is only possible by using platforms like Censinet.”
Summary
With increased risk to patient health information and healthcare product information, healthcare organizations and their CIOs face continuing challenges. The Censinet Platform provides real-time dynamic risk management with active continuous monitoring; enables collaboration with peers who face the same challenges and understand the unique requirements, complexities and nuances of the healthcare industry; and allows best practices to be fully documented, continually tested, and improved.
Aaron Miri finally has the third-party vendor risk management platform that he needs. “To be able to say what’s our risk, what are going to do if, how do we deal with this, what would be our response to this, and it’s federally mandated that we have to make sure that we’re staying on top of our business associates. Censinet gives you that central place to look at all of that, deal with and manage and mitigate any risks.”
To see the entire interview with Aaron Miri, click here.