The risk to health care organizations from a third-party vendor breach is clear—through August of 2019 alone, there have been 33 breaches by a business associate/vendor totaling over 22.5 million records. That’s one breach per week attributed to a third-party. Organizational leaders often struggle to focus on Third-Party Risk Management (TPRM)—or risk posed by third parties, such as vendors who work with an organization and have access to sensitive patient information—despite knowing about the benefits of such a program. With a myriad of other responsibilities, focusing on the security of third parties can seem incredibly complex and time-consuming. And it is. It can take a year or more to develop an effective program, depending on the complexity of the organization and the number of third parties. But once the program is in place, personal health information (PHI) and personally identifiable information (PII) are safer and the organization has a much firmer grasp on their overall risk.
By Sean Friel, CEO, Intraprise Health
Prior to deciding to engage a partner to get a true understanding of third-party risks, it helps to understand the benefits and importance of such an undertaking. Keeping data safe, resolving security gaps—and more importantly understanding where the gaps are—and putting processes and protocols in place ultimately makes your organization stronger and helps sustain and grow your business. It’s not just an IT issue to solve; third-party risk can jeopardize many areas of your hospital, health care facility, or payer organization.
Once you’ve decided to engage a partner to help you with your Third-Party Risk Management (TPRM) program, it’s time to manage expectations internally, and with your new partner, so everyone understands what’s expected of each other and what the process will entail. For instance, you want the process to include every department that works with data and with third parties in an organization. A TPRM process is enterprise-wide.
You cannot rush this process. Most people who undertake the effort to build a TPRM program are surprised by how long it takes and how much work it involves, despite being educated about the process before it starts. When completed, however, they feel a huge sense of accomplishment. In effect, a solid TPRM program and process improves how organizations think and work in addition to protecting their data.
Make sure there is ownership and accountability in your organization for the TPRM program. Those stakeholders are responsible for keeping people engaged in the process and ensuring objectives are being met. They also regularly remind people why they’re undertaking this huge but necessary endeavor; they are the TPRM organizational cheerleaders.
Utilizing external experts can help implement an effective program. Some TPRM program implementation services might include:
- Ensuring stakeholders across the supply chain all share a common vision and goals
- Documenting current and optimal workflows and processes so everyone involved knows what they need to achieve
- Evaluating and implementing optimized TPRM services such as assessing and revising current state workflows and processes
Here are some milestones that a good TPRM process will employ (keep in mind, each partner will offer various services, but it’s important to understand what the process might include):
- Request an Assessment – Who is responsible for ensuring requests are made when needed?
- Know the potential risk a third-party could pose before starting the assessment (often called “tiering”).
- Develop a solid, thoughtful and customized questionnaire based on the potential risk
- Collect evidence to validate the questionnaire responses
- Interview key vendor personnel to ensure they understand and follow a good security program
- Distill and compile the gathered information into a consumable report for decision makers
- Log and track any identified risks, regardless of severity
A good software platform can help to facilitate the entire process and might include:
- Configuring TPRM workflows and dashboards
- Providing access to third parties who will be active participants in the process
- Enabling process workflow
- Collecting evidence and questionnaire responses
- Risk logging and tracking of remediation
A health care organization’s data is a vital asset that needs to be protected. Make sure the people who help you safeguard it are security-minded experts.
About the Author
Sean Friel, CEO of Intraprise Health, has dedicated his 35-year career to helping health care organizations implement technology that improves their operations and patient care. He is recognized throughout the industry for his ability to build customer-focused teams that have received industry-leading customer satisfaction scores.
Most recently, Sean led rapid growth at private equity backed leading Health Information Technology companies such a Voalte and Lightning Bolt Solutions. As National Vice President of U.S. Sales for Siemens’ Health care IT division, his team drove sales to more than US$1 billion. Prior to his 13 years at Siemens, Sean played an instrumental role in the success of Shared Medical Systems (SMS), an early leader in automating hospital systems.
Disclaimer: CISO MAG did not evaluate the advertised/mentioned product, service, or company, nor does it endorse any of the claims made by the advertisement/writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
—or risk posed by third parties, such as vendors who work with an organization and have access to sensitive patient information—despite knowing about the benefits of such a program.){kind=link}