Article

Going beyond risk management

5 steps to increased visibility into your third-party risk

March 21, 2024

Key takeaways

Hands spinning around selecting a risk vendor

Today’s health care organizations rely on vendors to operate, which increases risk.

Gears turning while managing risk

Most organizations think they’re safe, but managing risk must be a constant, ongoing process.

Outlines of people learning skills to manage risk

Outside risk management companies can provide the skills most health care orgs lack in-house.

#
Cybersecurity consulting Cybersecurity Health care

The changing demands from regulatory bodies, payers and consumers combined with digital transformation have made health care organizations increasingly dependent on vendors for operational and financial efficiencies. However, third-party vendors come with additional risks, exposing organizations to everything from reputational damage to operating loss. Organizations that often think they’re covered are not.

Reliance on multiple outside vendors has made it harder for health care providers to be vigilant in managing the inherent risks associated with outsourcing, driving many organizations to assume their vendors are simply “doing their jobs.” But even if third-party vendors adhere to regulations, that doesn’t eliminate risk. And it doesn’t mean those vendors are careful with organizations’ sensitive data.

According to a 2023 Black Kite report, the health care industry was the most common victim of third-party breaches in 2022, accounting for almost 35% of all incidents—up from 33% in 2021.

Managing third-party risk

Third-party risk management (TPRM) helps reduce and mitigate the risks that health care organizations face. To truly understand their vendor ecosystem and the risk landscape, health care organizations should take a holistic approach to third-party risk management. Providers can follow the following five-step life cycle to gain an understanding and appreciation for TPRM.

Step 1: Planning

  • Compile a vendor inventory that captures all third parties (vendors, suppliers, contractors, etc.) used at the organization.
  • Develop an inherent risk rating system to evaluate risks associated with a vendor before considering controls, such as patient data protection and operational risks for services provided for patient care. The system can be used to prioritize vendor risk management by criticality to the organization.
  • Document policies and procedures and provide clear ownership and direction for proper risk mitigation.

Step 2: Due diligence

  • Conduct risk assessments on vendors in alignment with policy, including escalating risks to senior leadership for acceptance or mitigation that aligns with the overall strategic vision of the health care organization.
  • Ensure a consistent and repeatable process is in place to evaluate and score the risk assessment. A residual risk score should be populated to track risks properly across the landscape.

Step 3: Contracting

  • Use the inherent risk matrix to prioritize vendors supporting critical business processes.
  • Implement a contract checklist to follow during contractual negotiations and review. The checklist should include items like data privacy clauses, safety of electronically stored and protected health information, destruction of data and/or termination procedures, key performance indicators, service level agreements and incident/breach notification requirements.
  • As mandated by HIPAA, execute business associate agreements (BAAs) with all third-party vendors that may have access to protected health information (PHI).

Step 4: Ongoing monitoring

  • Monitor critical and/or high-risk vendors on a continuous basis against key risk types. The focus should include financial, cyber, operational and reputational risks.
  • Track and analyze spend. Third-party risk management can help drive costs down by managing spend efficiently.
  • Scrutinize third-party access to data and systems, including integrations into billing systems and ERMs, and limit access to only those who require it.

Step 5: Termination

  • Implement a termination checklist when offboarding a vendor relationship. This may include ensuring contractual obligations are being met, such as data destruction, system/network access removal, etc.

Common gaps

Many health care organizations are consistent in the completion of upfront due diligence (step 2), conducting one-time risk assessments on outside vendors when they want to procure new services. However, organizations often fail to create a risk rating system (step 1) or continue monitoring vendors after that initial risk assessment (step 4). Failures in these areas expose organizations to significant risk and have been responsible for major losses.

  • In 2023, one of the 10 largest public health systems in the U.S. suffered a data breach through a compromised third-party medical provider with access to its patient database.
  • In 2022, a U.S. health insurer reported a ransomware attack and data breach that affected over 326,278 patients.

The failure of steps 1 and 4 in health care—and with most of the industry’s third-party risk management—is that outside vendors are so integrated into the daily workings of the industry. Unlike other industries, outside vendors in health care are often interacting directly with customers (patients) and their most sensitive data. Health care organizations rely on these vendors, and few have the internal personnel, bandwidth or skill set to monitor their vendors constantly. Most health care organizations don’t know they’re at risk until it’s too late. Simply put, they need help.

The third-party risk management solution

It’s nearly impossible for any health care organization to have the “unicorn” resource that knows it all. Working with an outside risk management company provides a health care organization with the knowledge and experience they may lack, providing an outside perspective and the benefits of a team focused solely on managing risk.

TPRM as a service takes the workload off of understaffed departments that don’t have the bandwidth to keep up with the ongoing management of third-party vendors and can take a broader lens to evaluate the holistic vendor ecosystem and greater needs of the organization. In addition, TPRM as a service touches all five phases of the third-party risk management life cycle, allowing health care organizations to rely on professionals for these services so that they can focus on the other needs in the business.

Ultimately, TPRM as a service is a cost-effective method for ensuring both compliance and security. But be sure that any outside risk management firm you engage with can speak to many subjects. It’s critical that your TPRM as a service team has experience in health care and risk as well as finance, cybersecurity, compliance and other critical subjects.

Conclusion

The health care landscape has changed, and outside vendors are simply a reality. But that doesn’t mean that their risks have to undermine your security. Third-party risk management can protect your organization from outside vendors’ risks if you or a reliable outside risk management provider can maintain vigilance. At the same time, outside risk management and TPRM as a service can drive down costs and create significant savings across your organization.

Ongoing monitoring is critical for all health care organizations. Don’t be lulled into complacency and assume that third-party vendors are effectively looking out for your data. Learn more about protecting your organization against third-party risk.

RSM contributors

  • Amy Feldman
    Director, Risk Consulting

Related insights

Learn the importance of anticipating and managing key risks when working with third parties

Explore how our insights and experience can empower your business to navigate the complexities of third-party engagements.

Close up of microscope scanning slide