As healthcare organizations continue to utilize vendors to provide more efficient and state-of-the-art care and management, they must also make their third-party (i.e., vendor) risk management program more comprehensive.
Third parties with access to organizations’ protected health information (PHI) and/or personally identifiable information (PII) create a significant risk for data breaches within the healthcare sector. Specifically, in April 2019, CynergisTek Inc. measured healthcare organizations against the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy Rules and reported that third parties account for more than 20% of healthcare sector breaches. This third-party risk, coupled with the sensitivity of the data that healthcare organizations manage, creates an urgency within the healthcare industry’s C-suite to place increased oversight on third-party risk management operations.
Watch our third-party risk best practices video for healthcare organizations.
OneTrust VendorpediaTM sat down with Barbara Guerin, the CISO of Renown Health, the largest locally owned not-for-profit healthcare network in Northern Nevada, to hear her third-party risk recommendations and best practices.
Understand Regulatory Obligations
HIPAA became law in 1996, but since its implementation, the scope of the act has expanded significantly. In the simplest terms, HIPAA’s purpose is to: improve healthcare industry efficiency; to improve the portability of health information; to protect the privacy of individually identifiable health information; to secure the confidentiality, integrity, and availability of electronic PHI; and to ensure that patients are notified in the event of a breach.
According to Guerin, understanding obligations for HIPAA’s Privacy and Security Rules are the first steps a healthcare organization should take to implement a successful third-party risk management program.
The assessment, analysis, and management of risk – including third-party risks – provides the foundation of HIPAA Security Rule compliance efforts. HIPAA requires third-party or vendor contracts and Business Associate Agreements (BAA) to include privacy and security assurances. Conducting risk assessments on vendors and monitoring them continuously enables your organization to evaluate vendors’ readiness and ability to comply with HIPAA’s security requirements and to protect the privacy of patients’ PHI.
Guerin states, “Exercising due diligence in third party relationships is an increasingly complex challenge due to HIPAA’s mutiple security requirements.” She goes on to say, “depending on an organizations’ businesses practices, they may have varying degrees of third-party risk requirements.”
Because of such circumstances, she believes “healthcare organizations have a regulatory and fiduciary obligation to exercise due diligence over third parties.” She recommends the best practice of seeking out industry experts familiar with HIPAA to ensure you understand your obligations under HIPAA and implement them appropriately.
Determine Risk Appetite
Risk appetite is the amount and type of risk that an organization is willing to accept in the pursuit of its goals.
Guerin believes that “healthcare institutions should take a heightened risk-based approach and look beyond a meets minimum level of compliance because the risk of doing business with certain third parties outweigh their related benefits.”
For example, Guerin explains that if a third party is providing insulin testing devices, then a healthcare institution may not be willing to take on that vendor’s heightened risks despite the benefits it provides patients. On the other end of the spectrum, if a healthcare institution relies on a third-party for paper products, then the organization will likely have a higher risk tolerance because the vendor is not as critical to their operations and it can more easily find another vendor to provide that product or service. That said, healthcare institutions should work with the vendor, business owner, security, and procurement teams to ensure that they account for all risks and regularly monitor them.
Ultimately, healthcare organizations’ risk appetite will change based on the type of third-party product or service they are utilizing.
Simplify and Consolidate Vendor Asks
Industry regulations and security best practices require businesses to ensure that their third parties implement adequate data security controls, but assessing these controls can be inefficient and costly, while often causing assessment fatigue among vendors.
Guerin recommends simplifying the assessments imposed on a vendor based on their offering type. She believes that this approach not only helps get responses faster, but lightens the workload for the information security risk management team, so they can focus on high-priority third parties.
In targeting the key risks and controls, and leveraging consolidated assessments, healthcare organizations will be able to reduce third-party assessment fatigue and the time and labor needed to complete an exhausting vendor survey. Ultimately, this speeds up communications and allows a healthcare organization to implement offerings faster.
Partner with Procurement
Guerin believes the fourth key to third-party risk management success is good engagement between the procurement team and the information security teams.
Typically, the procurement team is more engaged with the vendor than the information security team because they work directly with the business users to understand the scope and context of what the organization will be procuring from the vendor. To understand that contextual risk associated with using that vendor, information security should collaborate with the procurement team.
Depending on the overall process within your organization, each of these teams need to communicate with one another to know when the healthcare organization can fully onboard the vendor.
Implement a Tool
Individuals managing the third-party risk lifecycle face difficulties when researching the third parties, completing risk assessments on time, and determining when new risks emerge. As organizations continue to increasingly rely on third-party vendors in the current environment of frequent data breaches, it is now more important than ever for risk solutions to adapt and modernize to solve both privacy and security challenges.
Guerin recommends implementing a tool to automate the entire vendor lifecycle. In doing so, healthcare institutions can triage and assess risks, manage vendor contracts and BAAs , demonstrate record keeping compliance, perform ongoing vendor audits, and fully offboard vendors when necessary to decrease the burden of healthcare related third party risk obligations.
How OneTrust Vendorpedia helps with HIPAA compliance
There are many challenges when it comes to managing third-party risk in the healthcare industry. In working with more than 4,500 customers, many of which who are subject to HIPAA, OneTrust Vendorpedia has developed a purpose-built tool to simplify and automate complex third-party risk management challenges for healthcare organizations.