Source: RSM US LLP.  PBMares is a member of RSM US Alliance. 

ARTICLE

The changing demands from regulatory bodies, payers and consumers combined with digital transformation have made healthcare organizations increasingly dependent on vendors for operational and financial efficiencies. However, third-party vendors come with additional risks, exposing organizations to everything from reputational damage to operating loss. Organizations that often think they’re covered are not.

Reliance on multiple outside vendors has made it harder for healthcare providers to be vigilant in managing the inherent risks associated with outsourcing, driving many organizations to assume their vendors are simply “doing their jobs.” But even if third-party vendors adhere to regulations, that doesn’t eliminate risk. And it doesn’t mean those vendors are careful with organizations’ sensitive data.

According to a 2023 Black Kite report, the healthcare industry was the most common victim of third-party breaches in 2022, accounting for almost 35% of all incidents—up from 33% in 2021.

Managing third-party risk

Third-party risk management (TPRM) helps reduce and mitigate the risks that health care organizations face. To truly understand their vendor ecosystem and the risk landscape, healthcare organizations should take a holistic approach to third-party risk management. Providers can follow the following five-step life cycle to gain an understanding and appreciation for TPRM.

Step 1: Planning

  • Compile a vendor inventory that captures all third parties (vendors, suppliers, contractors, etc.) used at the organization.
  • Develop an inherent risk rating system to evaluate risks associated with a vendor before considering controls, such as patient data protection and operational risks for services provided for patient care. The system can be used to prioritize vendor risk management by criticality to the organization.
  • Document policies and procedures and provide clear ownership and direction for proper risk mitigation.

Step 2: Due diligence

  • Conduct risk assessments on vendors in alignment with policy, including escalating risks to senior leadership for acceptance or mitigation that aligns with the overall strategic vision of the healthcare organization.
  • Ensure a consistent and repeatable process is in place to evaluate and score the risk assessment. A residual risk score should be populated to track risks properly across the landscape.

Step 3: Contracting

  • Use the inherent risk matrix to prioritize vendors supporting critical business processes.
  • Implement a contract checklist to follow during contractual negotiations and review. The checklist should include items like data privacy clauses, safety of electronically stored and protected health information, destruction of data and/or termination procedures, key performance indicators, service level agreements and incident/breach notification requirements.
  • As mandated by HIPAA, execute business associate agreements (BAAs) with all third-party vendors that may have access to protected health information (PHI).

Step 4: Ongoing monitoring

  • Monitor critical and/or high-risk vendors on a continuous basis against key risk types. The focus should include financial, cyber, operational and reputational risks.
  • Track and analyze spend. Third-party risk management can help drive costs down by managing spend efficiently.
  • Scrutinize third-party access to data and systems, including integrations into billing systems and ERMs, and limit access to only those who require it.

Step 5: Termination

  • Implement a termination checklist when offboarding a vendor relationship. This may include ensuring contractual obligations are being met, such as data destruction, system/network access removal, etc.

Common gaps

Many healthcare organizations are consistent in the completion of upfront due diligence (step 2), conducting one-time risk assessments on outside vendors when they want to procure new services. However, organizations often fail to create a risk rating system (step 1) or continue monitoring vendors after that initial risk assessment (step 4). Failures in these a

  • In 2023, one of the 10 largest public health systems in the U.S. suffered a data breach through a compromised third-party medical provider with access to its patient database.
  • In 2022, a U.S. health insurer reported a ransomware attack and data breach that affected over 326,278 patients.

The failure of steps 1 and 4 in health care—and with most of the industry’s third-party risk management—is that outside vendors are so integrated into the daily workings of the industry. Unlike other industries, outside vendors in health care are often interacting directly with customers (patients) and their most sensitive data. Healthcare organizations rely on these vendors, and few have the internal personnel, bandwidth or skill set to monitor their vendors constantly. Most healthcare organizations don’t know they’re at risk until it’s too late. Simply put, they need help.

The third-party risk management solution

It’s nearly impossible for any healthcare organization to have the “unicorn” resource that knows it all. Working with an outside risk management company provides a healthcare organization with the knowledge and experience they may lack, providing an outside perspective and the benefits of a team focused solely on managing risk.

TPRM as a service takes the workload off of understaffed departments that don’t have the bandwidth to keep up with the ongoing management of third-party vendors and can take a broader lens to evaluate the holistic vendor ecosystem and greater needs of the organization. In addition, TPRM as a service touches all five phases of the third-party risk management life cycle, allowing healthcare organizations to rely on professionals for these services so that they can focus on the other needs in the business.

Ultimately, TPRM as a service is a cost-effective method for ensuring both compliance and security. But be sure that any outside risk management firm you engage with can speak to many subjects. It’s critical that your TPRM as a service team has experience in health care and risk as well as finance, cybersecurity, compliance and other critical subjects.

Conclusion

The healthcare landscape has changed, and outside vendors are simply a reality. But that doesn’t mean that their risks have to undermine your security. Third-party risk management can protect your organization from outside vendors’ risks if you or a reliable outside risk management provider can maintain vigilance. At the same time, outside risk management and TPRM as a service can drive down costs and create significant savings across your organization.

Ongoing monitoring is critical for all healthcare organizations. Don’t be lulled into complacency and assume that third-party vendors are effectively looking out for your data. Learn more about protecting your organization against third-party risk.

This article was written by Amy Feldman and originally appeared on 2024-03-21.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/services/risk-fraud-cybersecurity/going-beyond-risk-management.html

 

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.