Why Healthcare Orgs Should Prioritize Third-Celebration Threat Administration

Digital Healthcare Data
,
Governance & Threat Administration

Venminder CEO James Hyde on Decreasing Threat Publicity From Vendor Relationships

James Hyde

•
January 25, 2023    

Day by day, we hear about new knowledge breaches within the healthcare business. With breaches on the rise and the typical price of a healthcare breach reaching a staggering $10.1 million in 2022, it’s no shock that third-party danger administration is a rising concern within the healthcare business.

See Additionally: Reside Webinar | Navigating the Difficulties of Patching OT

To make sure a safe surroundings, regulators such because the Workplace for Civil Rights, Facilities for Medicare and Medicaid Companies, and the Workplace of the Nationwide Coordinator for Well being Data Expertise stress the significance of managing third events to whom healthcare organizations outsource services and products.

The Major Pointers in Healthcare

The excellent news is that there are pointers to elucidate how healthcare organizations ought to handle third events. The 2 principal pointers are the Well being Insurance coverage Portability and Accountability Act and the Well being Insurance coverage Belief Alliance. Here’s a temporary overview:

• HIPAA requires delicate knowledge safety. Which means a affected person’s well being data, reminiscent of medical data, cannot be disclosed with out their consent or data. However for enterprise associates – distributors with entry to PHI – who’ve obtained passable assurance that affected person data is not going to be misused, the HIPAA Privateness Rule permits lined organizations to share protected well being data – PHI – with companies which are HITRUST-qualified.
• HITRUST is a healthcare-specific safety framework utilized by HITRUST-qualified organizations and people to handle knowledge, data danger, and compliance correctly. With a HITRUST certification, a 3rd social gathering can show they’ve met necessities within the HITRUST cybersecurity framework or CSF, reminiscent of HIPAA.

Prioritizing Third-Celebration Threat Administration in Healthcare

With so many third events concerned within the healthcare business, dangers have elevated considerably. Third events typically have entry to delicate data, reminiscent of digital well being data – EHRs, affected person billing, and general affected person communications, which might simply expose delicate data if breached. What are the results of exposing organizational or affected person knowledge? Finally, your monetary viability takes successful as a result of affected person belief is misplaced, your fame is compromised, clients could go away your group, and your fame is compromised.

• The query is: How can a healthcare group cut back its danger publicity and doubtlessly keep away from the results that may consequence from its vendor relationships?
• The reply is: Apply efficient third-party danger administration.

How one can Prioritize Third-Celebration Threat Administration

As a primary step in prioritizing third-party danger administration, a corporation should perceive and apply the third-party danger administration life cycle to all its distributors. This implies having the precise processes to establish, assess and handle vendor danger throughout the three life cycle phases: onboarding, ongoing and offboarding.

• Onboarding distributors: First, it is important to establish the inherent danger and criticality of the connection. As soon as the dangers are recognized, the seller should endure due diligence, which includes gathering and reviewing the seller’s paperwork to confirm that they’re a reputable enterprise entity with an excellent fame and to verify they’ve applicable danger controls. These actions should happen earlier than you signal the contract.
• Ongoing – monitoring: As soon as the contract is signed, it doesn’t suggest the work is completed. Keep in mind that a vendor’s danger can fluctuate, so it is necessary to apply ongoing monitoring. Formal, periodic danger reassessments and due diligence ought to be customary apply to establish new, rising or altering dangers. It is also important to continuously monitor the seller’s danger and efficiency and reevaluate the contract nicely earlier than any renewals.
• Offboarding distributors: Terminating a vendor contract ought to be a part of a proper, structured course of. This often includes notifying the seller that the contract is not going to be renewed, executing a preplanned exit technique and paying remaining invoices.

3 Advantages of Prioritizing Third-Celebration Threat Administration

Although third-party danger administration is difficult, the advantages make it well worth the effort. Prioritizing third-party danger administration can profit healthcare organizations within the following methods:

1. Sufferers are stored secure. Some of the beneficial advantages, affected person security, ought to be one of many largest motivators for efficient third-party danger administration. A sturdy program can shield your sufferers from trendy threats, such because the loss or misuse of their private well being knowledge or compromised medical gadgets.
2. Knowledge safety is a high precedence. With the assistance of a third-party danger administration program, your group and its distributors will likely be extra conscious of the significance of information safety. Knowledge safety goes past consciousness whenever you implement structured third-party danger administration, which incorporates formal assessments and evaluations of your vendor’s data safety practices.
3. There’s much less danger of expensive knowledge breach penalties. The implications of information breaches might be costly. Regulatory fines and penalties and will increase in your cybersecurity insurance coverage premium and affected person knowledge monitoring providers are all prices that may be prevented by third-party danger administration.

Creating an efficient third-party danger administration program takes effort and time however is worth it. Sturdy third-party danger administration practices can maintain your sufferers secure and doubtlessly forestall expensive and damaging situations from occurring within the first place. For right this moment’s healthcare organizations, third-party danger administration ought to be a high precedence.

To be taught extra about third-party danger administration, go to Venminder’s sources library and weblog and register for its CPE credit score eligible webinars.