Healthcare News & Insights

Healthcare organizations need to do better with third-party risk management

Nowadays, hospital executives and administrators are always worried about data breaches. In this guest post, Dennis Keglovits, VP of a company that provides governance, risk management, and compliance and information security software, explains the risks of outsourcing and the importance of having an ongoing risk mitigation process in place.


Third-party risk management has gained the spotlight again with recent breaches, such as Quest Diagnostics Inc. and Laboratory Corporation of America Holdings. The breaches potentially exposed the data of 20 million patients, but it didn’t happen on Quest or LabCorp systems. Instead, it happened on systems owned by a bill collection service provider, American Medical Collection Agency (AMCA). This exposed patient data was a combination of three data breaches all coming from the same third party, AMCA. These types of events highlight the importance of third-party risk management when sharing patient information with contractors.

Organizations have turned more toward outsourcing to reduce their operating costs, gain efficiencies and build relationships outside their organizations. It can also make an organization more vulnerable if the third party isn’t complying with contractual and regulatory requirements. Many industries, especially health care, are requiring organizations to proactively identify potential risks and verify the compliance of business associates and their employees. The healthcare industry also requires organizations to monitor compliance gaps or new risks rising out of changes that require investigations to remediate incidents.

In addition to the benefits, outsourcing services also brings many significant risks. In general, organizations develop risk-management processes to avoid and mitigate financial loss. In health care, however, it’s not only the financial loss but also patient information safety that’s at risk. Consider a healthcare organization that must optimize its risk-management process. The healthcare system must first introduce the risk-management process internally, then apply it to all business associates that must meet company and industry standards.

Healthcare chief information security officers (CISOs) must understand their organization’s security strategy and be aware of all third-party service providers. This is where something like conducting risk assessments comes into play. For healthcare organizations, a transparent view of all vendors is key to assessing risks. CISOs need to take the time to assess the level of risk posed by any third-party vendor they conduct business with and how it will affect their organizations.

Necessary precautions

The healthcare industry holds extensive amounts of protected health information (PHI), so it’s vital to take all necessary precautions to protect patient data. Another way they can do this is by taking the time to establish ongoing risk mitigation processes. Having an ongoing risk mitigation process in place can help healthcare organizations be alerted to potential risk. This saves professionals time and allows them to focus on other areas of the organization.

Building a more effective third-party risk management program helps healthcare organizations defend against data loss, system downtime, fines, public exposure and lawsuits. It also reduces the time and panic that’s often associated with audits. The key to this is to move beyond siloed data collection and manual processes by systematizing the interconnection of people, processes, assessments and documentation with an integrated risk management (IRM) platform, ensuring that serious incidents and critical requirements don’t fall through the cracks.

Tracking, capturing and standardizing processes and behind-the-scenes activity helps to effectively communicate the depth of your organization’s security and third-party vendors. The ability to issue assessments, generate reports and visualize data means that progress and priorities can be shared more readily across the organization, fostering a culture of accountability. Knowing that the reports are developed from verifiable, common datasets builds trust and eases decision-making processes. This gives CISOs the ability to get more business done, take on more responsibility and be more proactive in shaping the organization – with the same amount of staff. This is especially vital in the healthcare industry, which is typically short on cybersecurity expertise and overburdened with compliance-related activities.

In an increasingly digitized world characterized by layer upon layer of complexity and regulation, not having the right processes in place to address third-party risk can only lead to failure. No enterprise can afford to neglect operational efficiency, security threats or enterprise risk – but for the healthcare industry, the stakes are higher than brand and revenue building. Healthcare organizations can strengthen their approach to third-party risk and ensure its business associates and other third parties are following proper procedure by performing periodic assessments and documenting their activities in an integrated risk management (IRM) platform.

In the end, trust in health care and PHI protection hang in the balance, and if your organization isn’t prepared to assess third-party risk it can leave it open to the catastrophic aftermath of a data breach.

Dennis Keglovits is VP of IRM Services at Lockpath, a NAVEX Global Company.


Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind