Third-Party Vendor Risk Management in Healthcare

One of the realities I’ve seen is that the healthcare CIO is largely a vendor manager. I’ve grown that view a bit to include the management of people, but that’s the majority of a CIO’s job. Manage the people that work for the CIO and manage the vendors that work with their organization.

This is not a knock on CIOs. This is really important work that they’re doing. Although, it is a recognition that much of the risk they take on as CIO is dependent on the vendors with whom they work. This is true from an innovation perspective where the innovations of the vendor will either make the CIO look really good or really bad. However, it’s also true from a multitude of other financial, legal, security, and reputation standpoint as well.

How then are CIOs managing their third-party vendor risk?

I’m sad to say that the reality for most organizations is simply: a bunch of spreadsheets.

Chew on that for a minute. A CIO’s third-party risk is being managed by a bunch of spreadsheets. I love a spreadsheet as much as the next person, but we know that a file on Sharepoint is the place where documents largely go to die. Plus, managing hundreds of spreadsheets across a wide variety of vendors is brutal.

This is why I was intrigued when the opportunity to meet with Ed Gaudet, CEO and Founder of Censinet was offered to me. Plus, I was able to meet with two of their customers: Aaron Miri, CIO at The University of Texas at Austin, Dell Medical School and UT Health Austin, and Joel Vengco, SVP & CIO at Baystate Health.

For those not familiar with it, Censinet offers the first Third-Party Vendor Risk Management Software platform for healthcare. Both Aaron and Joel gave the strongest recommendation for a software that I’ve seen from a CIO in a long time. Likely because they’d lived the life of managing risk using spreadsheets and the pains associated with such a process.

I asked Ed Gaudet to share what areas of risk management they covered in their platform and he shared the following:

"Censinet provides risk questionnaires for pre-purchase initial risk assessments and post-purchase reassessments. These questionnaires assess 5 risk areas: Financial, Legal and Regulatory, Information Security, Availability, and Resiliency. Each risk area has 1 or more assessment domains. All questionnaires are based on and map to industry standard frameworks and regulations such as NIST, ISO, HIPAA, GDPR, and PCI.

Questionnaires support several product types: on-premise software/hardware, cloud software/hardware, hybrid, medical devices, mobile applications, consultancy. Censinet also supports healthcare-specific use cases such as assessing the risk of affiliated physician practices, internal software development projects (SDLC), information exchange between covered entities, institutional research board (IRB) initiatives, and internal enterprise risk assessments."

As Aaron Miri told me, “It’s so simple and useful, you wonder why no one had done it before.”Sometimes it’s the simplest ideas that are the best. The power to me is that it provides one cloud hosted option to track all of your risk management in one place. Just having that standardized process is a huge help on its own.

However, talking with them I learned of some other nice benefits. The first is the ability for healthcare organizations to collaborate with other healthcare organizations to ensure compliance. Lest you think they’re sharing compliance data, they’re not. Each organization has their own compliance efforts. However, Joel Vengco pointed out how he loved Censinet because it provided him the opportunity to collaborate with people like Aaron Miri who may have already dealt with compliance with a certain vendor or other risk management situation. Basically, Joel can discover things he should consider asking or making part of his risk management and compliance efforts from others who have been through the process before.

I was also intrigued by the benefits Censinet offered to vendors. Every vendor knows how miserable the compliance and risk management process can be. On Censinet, a vendor can take a completed risk assessment for one organization and share it with multiple healthcare organizations. Obviously, they can control who sees the assessment and can answer any custom requirements from an organization. However, the bulk of the previously done risk assessment can just be shared with as many organizations as they want.

What I loved even more was that these risk assessments weren’t just one and done. We all know that the threat landscape is always changing and new software is getting released regularly. In Censinet, vendors can update any assessment changes in real-time based on and patches or upgrades that happen to the software. That way the healthcare organizations are all updated with the latest risk assessment info without having to go back and dig up that spreadsheet from their file storage system.

Needless to say, I was impressed by what Censinet has accomplished. It really is a simple idea that provides a lot of value to healthcare organizations. Plus, it standardizes a tedious and challenging process and streamlines it as much as possible for both healthcare organizations and vendors.

The only bad news for Censinet is that if they’re doing a good job, we won’t hear anything about it. The risks will be mitigated and tracked appropriately and CIOs will sleep a little better at night.

This article was originally published on Healthcare IT Today by John Lynn