Why Vendors Need to Defend Highly Targeted Healthcare Providers from Third-Party Risk

It’s critical that vendors take responsibility for the risk they might potentially introduce to their clients.

Ed Gaudet | June 22, 2019

Healthcare data is highly valuable, as just one medical record can be worth up to $250 on the black market (compared to $5.40 for the next highest valued record). As a result, the healthcare industry continues to be the most targeted industry by hackers, with an increasing number of reported breaches occurring year over year.  

To gain access to healthcare providers’ sensitive information, hackers often target third-party vendors – the electronic lifeblood of a healthcare system. These partners (an average of 1,000 vendors per hospital) are crucial to healthcare providers as they help to manage everything from patient electronic health records and life-sustaining medical devices, to payroll and cybersecurity. This is why it’s no surprise that 68 percent of vendor organizations reportedly experienced a security incident in 2018, and in a domino effect, 20 percent of healthcare organizations were compromised throughout the year. 

Vendors have a responsibility to their clients, as they are trusted with access to their network and sensitive data. With this trust and operational responsibility comes the need to identify, assess and remediate potential third-party vendor risks to the privacy and security of protected health and confidential information in a frequent and transparent way: third-party risk assessments. 

Unfortunately, the process of conducting third-party assessments is incredibly inefficient and expensive for both vendors and healthcare providers. Due to a lack of resources, historically, these assessments have been manual, time-consuming, and non-repeatable. On average, they take eight or more weeks to finalize, and even after that, many are outdated almost as soon as they are completed as a result of dynamic product updates, environmental configurations, and cyber threats that change much more frequently than in the past. 

This is why providers have started utilizing online platforms to modernize the risk assessment process, enabling them to take a more streamlined and efficient approach – and their vendors are benefiting as well. The era of manual spreadsheets is over. Providers are turning to technology that digitizes risk assessments and creates a more collaborative process that improves visibility for providers and their vendors or suppliers. With this, comes the ability for vendors to:  

  • Complete and reuse standardized risk assessments based on NIST standards  
  • Control who has access to their risk assessments in real time 
  • Access and manage all product and service risk assessments (including all supporting evidence) from a single pane of glass 
  • Respond to subsequent assessment requests with one click 
  • Update any changes to their risk profile in real-time based on product patches, minor, and major upgrades, vulnerabilities, etc.  
  • Spend more time supporting their healthcare providers 

Beyond adopting technology solutions, there are several common sense strategies that healthcare vendors and other third parties can use to ensure they’re not putting providers at risk. This includes the need for internal education, regular cybersecurity training for all employees, and awareness campaigns designed to let all employees know about the threats that are out there. The threat landscape is constantly changing as attackers look for new exploits, and it shouldn’t just be up to cybersecurity and IT staff to help keep the company secure. Attackers often target individual employees through phishing attacks and other exploits, and it’s critical for all companies to take a security-first approach.  

It’s critical that vendors take responsibility for the risk they might potentially introduce to their clients. Through making an effort to effectively manage and reduce these threats and modernizing antiquated processes that evaluate and pinpoint areas of vulnerability, providers and vendors can get back to focusing on their main priority – servicing customers and delivering the highest quality of care. 

Click here to get your copy of the Censinet White Paper “Healthcare Third-Party Vendor Risk Management in the 21st Century” and learn more about the problems in current healthcare third-party vendor risk management and demonstrate how a collaborative cloud platform like Censinet automates third-party vendor risk management securely and efficiently.

This article was originally published in the June 2019 edition of Insight, CHIME Foundation’s monthly newsletter. Written approval from CHIME must be received in order to repost.

Join Mailing List

To learn more about Censinet, please join our mailing list. We'll send you periodic updates about our company, products, customers, innovations and more!

Overthrow the third-party vendor risk management status quo in healthcare.