The healthcare industry has consistently led the way with regard to data breaches! So far in 2023, the average cost of a data breach in healthcare is a staggering $11M per incident, an increase of 53% over the last three years. As of August, 40 million patients have been involved in data breaches which is trending to break the record for most individuals affected in a single year.
Third-party suppliers, vendors and business associate incidents are the largest and fastest growing single category accounting for more than 48% of the 40 million records compromised. This clearly signals the need for increased focus and major improvement by healthcare organizations on third-party risk management (TPRM) strategies.
Third-Party Risk Challenges
Digital transformation and new technologies have created exponential and continuing growth in the vendor ecosystem and the number of companies supporting healthcare organizations. Did you know that the average hospital currently has more than 1,300 active vendors? This has added a significant layer of risk exposure for healthcare organizations making the management and monitoring of the third-party risk life cycle no longer an option and a critical component of an overall cybersecurity program.
Developing a Robust Third-Party Risk Management Strategy
Here are the key steps in the development of a proactive and integrated TPRM strategy:
1) The initial step is to perform an inventory of all third parties classifying them by vendor type which can then assist in developing vendor risk tiering.
2) Develop a TPRM assessment tool that will identify if and how the vendor will access, store, use and transmit your data and what standards are being used by the vendor to protect that data.
-The result of the assessment should include any areas of vendor risk and remediation recommendations to address the risk.
-The TPRM assessment tool should also be used to reassess vendors as the environment continues to change.
3) Develop and implement concise contract language that provides an understanding of security and privacy requirements, how the vendor will be interacting with sensitive data and clearly establishes vendor expectations, open communication, and a collaborative approach. Some recommended contractual areas include:
-Require multi-factor authentication (MFA) for all vendors that access your data across the enterprise.
-For all hosted application and services vendors that store PHI an annual SOC 2 Type II report must be provided as part of the vendor contract
-Ensure that all vendors sign a Business Associate Agreement (BAA) that is updated with the latest security and privacy regulations. An updated BAA should also be sent to all vendors for signature on an annual basis.
-For all vendors that access or potentially access PHI, an appropriate level of Cyber Liability Insurance must be provided and included in the standard BAA.
-Include Breach Notification requirements as part of the standard BAA.
4) Development of a risk tiering strategy based on evaluating how your data will be used by each third party. That will drive remediation activity and the frequency and depth of vendor reviews.
5) Provide comprehensive and ongoing training for all associates, especially those that work with and/or manage third party relationships. Many third-party incidents could be prevented with a better understanding of the risks associated with the organization’s vendor partners.
These recommended practices provide a wide range of risk assessment activities that together can help healthcare organizations standardize the management of third-party risk and improve its overall security posture. However, updating your TPRM strategy is time consuming and can be very complex.
At Signature Performance, we can help you understand your third-party risks and exposures and partner with you to develop an ongoing TPRM strategy to better manage and mitigate the risks of your third-party partners. If you are ready to take the next step, visit our about us page for more information about our services and solutions.