The industry requires a more cost-effective approach to third-party risk management.
Third-party vendor risks cost the healthcare industry $23.7 billion per year, according to a new report from Censinet and the Ponemon Institute.
The report, “The Economic Impact of Third-Party Vendor Risk Management,” also revealed that the yearly hidden costs of managing vendor risk is $3.8 million per healthcare provider. And over the past two years, 56% of healthcare organizations experienced a data breach at the hands of one or more third-party vendors.
“This research confirms that healthcare providers require a better, more cost-effective approach to third-party risk management,” said Ed Gaudet, CEO and founder of Censinet, which builds related technology.
Researchers analyzed the results of a survey taken by 554 healthcare information technology (IT) and security professionals who manage their organizations’ vendor risk management programs. Every respondent said its organization is covered by the Health Insurance Portability and Accountability Act and has a vendor risk-management program.
The survey revealed that risk management practices do not keep up with third-party cybersecurity vulnerabilities.
More than half of respondents said they conduct assessments to evaluate cyber and other risks stemming from third-party vendors. Yet 76% agreed or strongly agreed that current risk management processes using spreadsheets and emails are inefficient, not scalable, costly and do not reduce exposure to data breaches, ransomware and downtime.
More than 65% of respondents agreed or strongly agreed that there should be an increase in investigations and fines from the U.S. Department of Health and Human Services Office of Civil Rights due to deficiencies in vendor risk management. A majority also said manual processes cannot keep pace with the increase of digital applications and devices.
The increase of medical devices is also increasing third-party risk. These technologies are connected to the internet, making them inherently risky, 72% of respondents said.
While all of the respondents’ organizations are covered by HIPAA, 60% said they believe the act requires annual assessment of third-party risks. But only 27% said their organization assesses every vendor each year. This is because respondents believe their approach to risk assessments takes away resources from other things such as staff training, building controls over data assets, incident response planning and upstream communications.
Plus, many organizations do not find the information from these assessments valuable. Only 40% of respondents said the results are very valuable for C-suites. But not completing all assessments puts organizations at risk.
If the vendor has access to personal health information, 71% of respondents agree that they are a priority for due diligence and assessment.
Only a third of respondents automate most of their vendor assessment programs. Some respondents (35%) said they use a combination of automated and manual procedures and tools, while 31% said assessments are manual.
Just 41% of those surveyed said they have the ability to automatically access vendor assessments and supporting evidence. And fewer than 40% said they can continuously update changes to third-party risk and standardized vendor assessment questionnaires.
“It’s clear that healthcare providers are in a tough spot,” said Larry Ponemon, Ph.D., chairman and founder of Ponemon Institute, which researches data protection. “The number of vendors they rely on is increasing at the same time the threats those vendors pose are escalating in frequency and severity, so it’s easy to see how managing these risks has become an overwhelming problem.”
Get the best insights in digital health directly to your inbox.