Hospitals are paying for not vetting their vendors
No hospital is an island: from clinical software to data storage, there's a near-limitless number of vendors to serve up the necessary components of healthcare IT system. Every device or piece of software connected to the internet means another point of exposure to attacks and breaches.
A new study from the Ponemon Institute, sponsored by Censinet, shows that health systems' approaches to managing the risks of third-party vendors are falling short of what's necessary in this cybersecurity environment – and that many organizations are seeing an increase in HHS and OCR fines and investigations as a result.
WHY IT MATTERS
According to Ponemon report, The Economic Impact of Third-Party Risk Management in Healthcare, health systems on average have 3.2 FTE security employees who work full time, more than 500 hours per month, to handle vendor risk assessments.
But that's not enough to maintain due diligence given that the average hospital has relationships with more than 1,300 different vendors, the report shows. Most hospitals don't review the security practices of each of them on an annual basis. In fact, barely more than one in four respondents say they conduct vendor assessments for all their vendor partners.
Despite spending nearly $24 billion each year, industry-wide, on vendor management, healthcare organizations' "controls and processes are often only partially deployed or not deployed at all," compromising their ability to mitigate third-party risks, said Ponemon researchers.
And that's costing them: 56% of respondents said their organization had experienced one or more vendor-related data breaches in the past two years, at an average cost of $2.9 million.
Automating tools and tasks such as vendor assessment questionnaires and updating risk profiles helps can help manage the influx of new vendors, but most hospital systems are lagging in that area too, according to the report – even though 78 of respondents recognize the importance of being able to continuously manage changes to third-party risk.
"Reliance on manual processes makes it difficult for organizations to assess all their vendors and to understand the types of vendor risk they face," said researchers.
Furthermore, nearly 60% of respondents said senior executives at their organizations are willing to take shortcuts with the risk assessment process "if necessary to secure a lucrative business relationship."
THE LARGER TREND
When a hospital doesn't manage its vendors adequately, they open their networks up to considerable risk. Healthcare systems need to balance the usefulness of a product with the risks it can pose as well as tread more cautiously than in other industries: greater privacy and security restrictions mean that sharing data with vendors or hosting information in the cloud warrants greater scrutiny and oversight.
The good news is that there are a lot of ways hospitals can manage their security internally that prevent outside incursions, and that culture of awareness can inform relationships with external vendors.
ON THE RECORD
"It's clear that healthcare providers are in a tough spot," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "The number of vendors they rely on is increasing at the same time the threats those vendors pose are escalating in frequency and severity, so it's easy to see how managing these risks has become an overwhelming problem."
"This research confirms that healthcare providers require a better, more cost-effective approach to third-party risk management," said Ed Gaudet, CEO and founder of Censinet. "The adoption of technology in healthcare is more rapid and complicated than ever before. As an industry, we must help providers safely enable cloud applications and medical devices optimized to deliver the quality of care hospitals and their patients expect."
Benjamin Harris is a Maine-based freelance writer and former new media producer for HIMSS Media.