Health3PT Shares Best Practices for Improving Third Party Risk Management in Healthcare
The Health 3rd Party Trust Initiative (Health3PT) has published the findings of a recent survey of HIPAA-covered entities and their business associates that explored the current state of third-party cyber risk management in healthcare and identified some of the key challenges faced by HIPAA-regulated entities.
Supply chain vendors and service providers introduce risks that need to be identified, managed, and reduced to a low and acceptable level; however, the methods used to manage third-party risks are often burdensome and inadequate. According to the survey, which was conducted on 59 HIPAA-covered entities and 128 business associates, significant resources and money are committed to managing third-party risk but 68% of covered entities and 79% of business associates say third-party risk management (TPRM) processes are inefficient and 60% of HIPAA-covered entities and 72% of business associates think TPRM is not effective at preventing data breaches.
55% of healthcare organizations have experienced a data breach in the past year through a third party, and 90% of the most significant healthcare data breaches in 2022 occurred at business associates of HIPAA-covered entities. The average cost of those data breaches was more than $10 million per incident. According to Health3PT, there are significant blind spots in organizations’ third-party information security management programs. These are caused by organizations and vendors handling assessments differently and, in many cases, relying on manual processes.
Many organizations lack the necessary resources to follow up on vendor risk management efforts, and while vendors provide assurances that information security controls have been implemented, they do not consistently demonstrate that appropriate controls are in place. One of the main problems is covered entities and business associates relying on outdated TPRM approaches which result in inconsistent and unclear risk management outcomes. TPRM processes at many healthcare organizations have not changed for decades and were not particularly effective even when they were introduced as they were adopted from other verticals and never properly matched the needs of healthcare organizations. These processes have also failed to maintain pace with advances in technology, such as the use of the cloud.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The biggest challenge for covered entities is keeping pace with the volume of security assessments. Due to the number of vendors used by healthcare organizations, vendor audit fatigue often sets in. Healthcare organizations are receiving a high volume of security questionnaires from vendors but they do not have the necessary IT resources to deal with the questionnaires they receive, which means third-party vendors are not properly evaluated and risks fail to be properly addressed. Other key challenges were getting vendors to address deficiencies, the turnaround time for assessments, obtaining transparent assurances from vendors to satisfy requests the first time around, and keeping up with changing threats and risks associated with vendors.
The biggest challenges for business associates were customers’ willingness to accept a validated assessment in lieu of questionnaires, handling the variability of questionnaires and audits, and the time allowed to provide quality responses and evidence to requesting customers. Covered entities and business associates both admitted to feeling overwhelmed with TPRM processes and felt current processes are effective at preventing data breaches. Covered entities and business associates both expressed a desire to improve TPRM efficiency through improved collaboration, standardization, and automation.
Third parties pose major risks to healthcare organizations and there is considerable potential for those risks to compromise privacy and patient safety. Some of the main shortcomings with TPRM are the lack of an overarching methodology for risk-tiering vendors, overreliance on verbose contract terms, inconsistent questionnaires and validation of the information collected, limited follow-ups on the resolution of identified security gaps, and limited organization-wide insight into vendor security risk.
To help address these shortcomings, Health3PT has shared best practices in its Recommended Practices & Implementation Guide which helps covered entities and business associates improve TPRM efficiency and effectiveness. “Establishing and adopting these more effective and efficient TPRM processes will transition TPRM in healthcare from a superficial check-the-box exercise that exposes organizations to unnecessary risks to more robust, collaborative information protection programs that ultimately will benefit all participants across the healthcare community,” explained Health 3PT.
