Third Party Vendor Risk Management

Richard Staynings addresses the need for better Third Party Risk Management @VAHIMSS18
Lets face it, most Healthcare Covered Entities do a lousy job of managing risk - especially cyber risk in a world where data is flowing everywhere to meet government Meaningful Use requirements. In fact as an industry, we almost myopically interpret risk to refer to clinical procedures or hospital-borne post operative infection rates. In an HDO, risk is all about patient safety. But patient safety is much more than clinical risk, it includes the availability of IT systems to diagnose, monitor and treat patients; its about being sure of the validity and integrity of health IT data in order to treat patients; and it includes the entire healthcare delivery supply chain.

Cyber risks in healthcare are not just confined to the data center, to nursing stations or to the PHI data that flows back and forth between health insurers, HIEs, government agencies and patients. The risk web is very much bigger than that. It includes thousands of suppliers, vendors, and partners that stretch right the way across the globe. Everything from business process and IT outsourcers in India, to complex manufacturing supply chains for medical equipment in China, Brazil, Germany, the UK and Australia. It includes the company that provides hot meals to patients and food and coffee for the hospital cafeterias, to the pharmaceutical companies conducting clinical trials, and biomedical engineering companies that provide prosthetic limbs to your patients or an IMD that leaves the hospital with them. Anyone in fact who has physical access to your sites, network access to your IT, or who processes your data, regardless if they ever see one of your patients or not.

A recent Vendor Vulnerability Index research report released by Bomgar, showed that breaches occurring from third parties account for two-thirds of the total number of reported cyber breaches. The study found that only 46% of US companies said they know the number of log-ins that could be attributed to vendors and that less than 51% enforce policies around third party access. Furthermore, 69% of respondents said they 'definitely' or 'possibly' suffered a security breach resulting from vendor access in the past year.

Lets not forget that the Target breach of 40 million credit cards and 70 million customer records was caused by weak security of one of Target's HVAC vendors. It cost Target over $300 million and the jobs of everyone on the leadership team as well as lasting damage to the store's reputation.

The consensus by security professionals is that the risk posed by third parties is not only substantial, but it is increasing each and every year. Gartner stated in its June 2017 Magic Quadrant for IT Vendor Risk Management that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a board-level initiative to mitigate brand and reputation risk. So why is it then, that health system CEOs are focused on other things? It could be that the healthcare industry has SO MANY challenges that TPVRM is just further down the list, it could be the fact that very few HDOs feature in the prestigious Fortune 500 list, or it could just be that healthcare CCOs, CROs and CISOs, just haven't gotten the message across to their CEO yet. Either way they need to!

I shared a number of tips and suggestions during my presentation today at the VAHIMSS Annual Conference to aid executives to construct or refine their TPVRM process. My slides can be found here.

Thanks to everyone who attended and asked some great questions and to the leadership of sponsors of the conference who helped to put on a great 3 day event in Williamsburg, VA.

Stories and articles may be republished without charge provided that attribution is provided to the source and/or author.