How health organizations can effectively manage third-party risk
Post Summary
TPRM is the process of identifying, assessing, and mitigating risks associated with third-party vendors in healthcare.
It protects sensitive patient data, ensures compliance with regulations, and reduces the risk of operational disruptions.
Steps include conducting risk assessments, implementing continuous monitoring, and aligning with industry frameworks like NIST CSF.
Tools like centralized platforms, AI-driven automation, and compliance monitoring systems can streamline TPRM processes.
Governance ensures vendor policies align with organizational standards and regulatory requirements, reducing risks.
Benefits include improved data security, reduced compliance gaps, and a more resilient vendor ecosystem.
Stephen] Why is there so much interest in third-party risk management going into the year 2020?
[Jigar] There’s been a lot of incidents with regards to third parties, both directed third parties and other third parties, tertiary folks. And in the healthcare space, third parties are a critical avenue in the supply chain function, and they conduct a lot of business on behalf of hospital systems, both from a system perspective and from an IT perspective. Many rely on third parties for niche solutions, skills, etc. And they are important and critical cogs in processing of data. And every time there’s a breach, whether it’s one that you’re familiar with or a different one that you’re not using, it just escalates the need to make sure our critical third parties are secure, safe, and they have a plan for business continuity.
A lot of the third parties that I’ve seen in the paper recently, they are small organizations with no business continuity or disaster planning in place. So, if they have a virus, a ransomware attack, their systems go down and it impacts us because we’re using them for critical business operations, both from a hospital perspective and from an IT perspective.
[Stephen] What are some ways that the healthcare providers watching HIMSS TV can begin to better manage their third-party risk and to work with their third parties?
[Jigar] First things first, they have to have an inventory of their third parties. They need to determine which third parties are the most critical, prioritize those, and then go do some type of assessment to make sure their third party has the tools, processes, procedures in place, where you feel comfortable. Whether it’s a risk assessment or a feasibility analysis, something where you feel comfortable with them and you’re okay with whatever their approach is.
[Stephen] How does Censinet differ from other products on the market today? Like what’s unique about it?
[Ed] Yes, we take a different approach fundamentally. So, we believe the way to solve the problem is to connect the providers, with their supply chain of vendors. And have that transaction done in real time versus sending out questionnaires via Excel spreadsheets or Word documents or PDFs. We believe doing that online and enabling the vendor to do the right thing and do it one time, but share those results and share the evidence with the provider community at any point in time, is the way to go. Both sides benefit.
The providers can get their assessments done in a much faster time. Where we’re seeing averages today, before Censinet, somewhere in the eight to twelve weeks, we’re getting assessments done in less than five days. Also the accuracy and the quality of the assessments is really important as well. And you’re able to actually store and maintain that evidence now based on the responses to the questionnaires. That also is invaluable. So, you can correlate the responses with the actual evidence that’s provided on behalf of that third-party vendor.
[Stephen] Why are healthcare providers using Censinet?
[Jigar] One, it’s healthcare provider-only. Two, a number of healthcare providers helped create it. And three, I don’t know if it’s healthcare providers or the healthcare industry, but there seems to be a lot of sharing, and we’re all facing the same issues as it relates to third parties.
[Stephen] How is Censinet helping these providers achieve their goals? What are the benefits?
[Jigar] A consolidated platform for workflow for third-party risk assessments, scoring data, vendors that proactively are a part of the system. If I’m going to use a vendor and they’re already part of Censinet, then I don’t have to redo all the work. That saves man-hours and time from my team as well as from the third party themselves.
[Stephen] What are your predictions in 2020 for the risk management space?
[Ed] I think this will be the year of risk management. I think more than ever, there’s a lot of investment being made in this space. There are a lot of new companies and a lot of new vendors coming at this problem, trying to solve the problem. Again, we think creating the collaborative risk network is the way to do that, and that’s Censinet’s approach. But there are other approaches too and some of them are pretty recent. And some of them, again, are based on these old assumptions that, you know, you can spend a year and wait until a reassessment is done.
We don’t believe that. We believe in the continuous monitoring and the reassessment of a vendor. We think that’s the way to do it, and we think also you get more coverage of your vendors across your supply chain by doing it that way.
Key Points:
What is third-party risk management (TPRM) in healthcare?
- Definition: TPRM is the structured process of identifying, assessing, mitigating, and managing risks associated with third-party vendors, suppliers, and contractors in healthcare.
- Purpose: It ensures that external entities comply with healthcare regulations and do not pose risks to sensitive data or operations.
Why is managing third-party risk critical for healthcare organizations?
- Data Protection: Third-party vendors often have access to sensitive patient data, including PHI and PII, which are valuable targets for cyberattacks.
- Compliance: TPRM ensures adherence to healthcare regulations like HIPAA, reducing the risk of penalties.
- Operational Continuity: It minimizes disruptions caused by vendor failures or breaches.
What are the key steps to managing third-party risk in healthcare?
- Risk Assessments: Conduct thorough assessments to evaluate vendor cybersecurity health and compliance.
bb Continuous Monitoring: Regularly monitor vendor activities to identify and address risks proactively.
bb Framework Alignment: Align with industry frameworks like NIST CSF 2.0 to standardize risk management practices.
What tools can healthcare organizations use for TPRM?
- Centralized Platforms: Platforms like BluePrint Protect™ consolidate vendor risk data and automate compliance alerts.
- AI-Driven Automation: AI tools streamline risk assessments and incident response planning.
- Compliance Monitoring Systems: Tools that track regulatory adherence and flag potential gaps.
How does governance enhance third-party risk management?
- Policy Alignment: Governance ensures vendor policies align with organizational standards and regulatory requirements.
- Risk Prioritization: Develop risk rating systems to evaluate and prioritize vendor risks based on criticality.
- Cross-Functional Collaboration: Involve legal, compliance, and clinical teams to ensure a comprehensive approach.
What are the benefits of a robust TPRM program?
- Enhanced Security: Protects sensitive data from breaches and unauthorized access.
- Compliance Assurance: Reduces compliance gaps and ensures adherence to regulations.
- Operational Resilience: Builds a more resilient third-party ecosystem, reducing disruptions.
