It has been a banner year for cyberattacks in healthcare, and the threats show no sign of stopping. The growing dangers of cyberthreats should make vendor risk management a business-critical issue for all organizations, and healthcare companies, in particular.
With the increasing number of cyberattacks, intensified regulatory scrutiny and the extreme sensitivity of patient information, healthcare organizations should consider the following proactive steps to improve their vendor security hygiene:
1. Allocate proper resources to your vendor risk management program. Resources represent more than money; they also include individual talent, the number of people in relevant departments, tools, and the right analytic capability. These resources are needed to perform critical program elements such as:
- Risk ranking vendors
- Making sure that contracts are written properly
- Properly scoring and communicating vendor evaluations
In addition, healthcare organizations should have resources in place to manage their risk programs as both an outsourcing organization and as a vendor that provides contract services to others.
2. Establish a proper governance framework. For a vendor risk management program to succeed, departmental silos must be eliminated and an enterprise-wide governance framework should be established. The program should be structured to achieve a repeatable, ongoing process for managing vendors so that when a security weakness has been identified–either the problem is fixed, or the vendor is replaced. And the process must be consistent throughout the organization. Often, this process consistency can be difficult to achieve in all but smaller organizations, especially for vendors that provide critical services. Healthcare organizations also should have contingency options in place to assist with decisions when incumbent providers are not compliant. The importance of maintaining contingency options cannot be stressed enough, especially for instances where healthcare organizations store or share PHI or other sensitive data with business associates. Above all, structuring and following the right policies and procedures on an enterprise-wide basis is critically important.
3. Set the tone at the top. Board members and C-suite executives must communicate a sense of purpose and priority throughout their organizations. Otherwise, their organizations are less likely to achieve third-party risk process maturity on a timely basis. Fortunately, according to the survey, there is increasingly widespread understanding of the need to address vendor risk. From an enterprise security perspective, it’s the C-level respondents who have the most current understanding of internal capabilities of the organization as well as the best reading on the external environment. This understanding is critical for healthcare organizations to successfully develop a vendor risk management program that can meet cyber risks today and in the future.
Rocco Grillo is Managing Director of Protiviti, Inc. and a member of the Shared Assessments Steering Committee. Gary Roboff is Senior Advisor at the Santa Fe Group, which manages the Shared Assessments Program.
Originally posted on GovernmentHealthIT.