Vendor risk management in healthcare is an obligation, not a luxury. HIPAA regulations apply to third-party associates as much as covered entities. Many cybersecurity vulnerabilities involve supply-chain threats, with vendor attacks increasing by over 400% in just two years. Learning to manage vendor risks successfully helps healthcare enterprises avoid data breaches, improve HIPAA compliance, streamline operations, and mitigate legal liability.
What Is Vendor Risk Management in Healthcare?
Healthcare vendor risk management refers to the process of evaluating, monitoring, and mitigating risks arising from third-party business relationships. In healthcare, vendors range from software platforms and IT service providers to staffing agencies and medical device suppliers.
In regulatory compliance areas, healthcare vendor management frequently centers on risks to data, IT systems, and patient privacy. VRM is also known as third-party risk management and is closely related to supply chain security.
What Vendor Risks Affect Healthcare Organizations?
Hospitals, clinics, health insurers, and HMOs have one of the most complex risk profiles because of how sensitive patient data and healthcare operations are. Vendor risk management is no exception. Healthcare organizations need to prepare for many different types of vendor risks.
1. Cyber Risks
Over 65% of healthcare companies have experienced at least one ransomware attack. The combination of personal information, health data, and financial information that hospitals store makes them a lucrative target, and vendor systems are often the weakest link.
2. Financial Risks
The actions of third parties can hurt your financials, especially in cases of fraud, abuse, or misuse of company assets. Vendors that violate the False Claims Act can leave your organization on the hook for heavy penalties.
3. Regulatory Risks
One of the biggest vendor risks in healthcare is running afoul of HIPAA, GDPR, PCI DSS, or the Conditions of Participation for Medicare-Medicaid. The responsibility of ensuring vendor healthcare compliance falls to your organization.
4. Operational risks
When a vendor’s software platform goes down, the impact on your operations can be hard-hitting. In healthcare, long system outages aren’t just financially devastating, but also potentially life-threatening to patients.
5. Marketing risks
Healthcare enterprises must comply with regulations around marketing and referrals. Marketing activities that are normal in other industries may be illegal in healthcare. Without careful risk assessments and monitoring in place, vendors can violate the Anti-Kickback Statute or Stark Law.
6. Legal Risks
Poor vendor cybersecurity can directly affect your company’s legal liability. Banner Health had to settle a 2016 data breach that impacted 3.7 million records, even though hackers found their way into the network via the food court’s third-party payment processor.
What Does Healthcare Vendor Risk Management Involve?
The VRM process in healthcare requires careful planning to implement an effective risk framework. It’s necessary to evaluate risk before, during, and at the end of vendor relationships.
Assigning Roles and Responsibilities
Any type of risk management can only be successful with well-defined roles and responsibilities. At a minimum, your organization needs a dedicated VRM professional for onboarding and program execution. In larger organizations, the VRM team should include representatives from the executive, legal, compliance, IT, and procurement departments.
Identifying Vendor Risks in Your Organization
Before evaluating individual vendors, you need to conduct an in-depth third-party risk assessment on your organization as a whole. It takes time to create a detailed list of risks related to vendor services across departments, but this is one of your most important lines of defense against cyberattacks, regulatory compliance violations, platform vulnerabilities, and financial risks.
Frequent high-risk areas in healthcare include:
- Claims processing, creation, and appeals
- Sales and marketing
- Patient services
- Memberships and enrollment
- IT and networking
- Pharmacy benefits management
In the U.S., pay special attention to vendor services that touch on patient privacy, cybersecurity, physical security, data storage, and communications. For global organizations, make sure any data processing, analytics, or storage vendors comply with GDPR.
Performing a Third-Party Risk Assessment
Once you have a comprehensive map of third-party risk areas, you’re ready to perform risk assessments. Start by assigning each vendor a general risk tier (such as low risk to critical risk) based on factors like:
- Type and sensitivity of data
- Extent of access to important systems
- Financial costs in the event of a breach
- Potential impact on core operations
- Effect of vendor failure or business collapse.
Many healthcare organizations perform two separate risk assessments for VRM, one for information security and another for vendor compliance risks.
When evaluating suppliers, look for real compliance, not empty promises. Does the vendor truly have risk management best practices in place, or did it just copy blanket statements from an online template?
How often does the supplier perform audits? What about anti-phishing training programs and endpoint device policies? Look for concrete metrics, logs, and audit records.
Developing Vendor Risk Mitigation Strategies
Once you understand the largest risks posed by third-party suppliers, you can implement risk mitigation strategies for those specific areas. For example, an excellent way to limit the impact of EHR software supply chain attacks is to follow a Zero Trust authentication model. All platform users must log in with MFA to access sensitive data, whether they’re inside or outside the network.
Onboarding Vendors Securely
Risk-aware onboarding requires healthcare VRM teams to perform a series of checks. Request and verify documentation, such as cybersecurity certificates, insurance policies, credit history records, and operational details.
For HIPAA compliance, create a Business Associate Agreement with details about the services the vendor will perform and related HIPAA compliance obligations. If you use a BAA template for multiple vendors, periodically review it to make sure it’s up to date with the latest version of requirements.
Carrying Out Continuous Monitoring
Many businesses fall short in evaluating vendor compliance after onboarding. A year is a long time, and you can’t afford to allow vulnerabilities or compliance violations to creep in.
Vendors in high-risk areas should agree to real-time, continuous monitoring. Network monitoring services can strongly reduce the likelihood and impact of a data breach by flagging suspicious log-ins, traffic, or actions.
If you rely on security certificates to gauge vendor qualifications, only accept reports that measure ongoing compliance, not a single point in time. HITRUST certification, SOC 2 Type 2 annual reports, and ISO 27001 are a few examples.
Terminating or Offboarding Vendors Safely
Few parts of the risk management lifecycle are as dangerous to healthcare organizations as contract termination and offboarding, even when your experience with the third-party provider was good. In addition to potential harm from intentional sabotage or theft, there are also vulnerabilities from forgetting to disable vendor permissions. Another possibility is that third-party companies don’t delete patient data or files are required by HIPAA.
Your team needs to prepare a complete checklist for offboarding, including:
- Removing access permissions
- Changing passwords for VPNs and apps
- Deactivating physical security badges
- Removing all vendor access to network resources, such as APIs
- Taking reasonable steps to verify the destruction of patient records, such as a signed vendor statement
Be especially diligent when offboarding consultants or specialists with administrator-level system access, or vendors that handled patient payment, financial, or identity data.
What Is an Example of a VRM Security Framework?
If you’re not sure where to start with your healthcare VRM program, there’s nothing wrong with modeling your framework after leading organizations, such as Adobe (Vendor Security Review Program) and Microsoft (Supplier Security and Privacy Assurance Program). Even though you have to make modifications for healthcare and HIPAA compliance, these examples give you a solid baseline.
Adobe makes vendors fill out a comprehensive questionnaire with supporting documentation. This information helps Adobe’s ERM team perform an accurate risk assessment.
As part of onboarding, Adobe looks for SOC 2 Type II, PCI DSS, and ISO 27001 compliance certification.
Any medium or high-risk vendors must take remediating actions. All vendors must agree to continuous scanning and annual security reviews.
Microsoft requires vendors to enroll in the SSPA program and prove that they meet every point of the framework’s in-scope data protection controls. Only after successful completion can the third-party supplier begin providing services, and only in tested areas.
How Do You Follow Vendor Risk Management Best Practices?
Whether you already have a healthcare vendor risk assessment framework or you’re building a VRM program from scratch, these recommendations can help you get better results.
Create an Effective Vendor Scoring System With Target Metrics
You can measure vendor compliance if your program includes metrics. With the right analytics, you can track vendor progress, view positive or negative trends, flag issues quickly, and create detailed reports for better decision-making.
Mention tracked performance metrics in service-level agreements. For example, a SaaS vendor should meet system uptime minimums. IT providers need to hit targets for security patches, maintenance, priority issues resolved, equipment defect rates, and response times.
HIPAA compliance is a vital metric for healthcare vendors. Score compliance percentages, violations found, issue severity, and completed corrective actions from periodic audits.
Standardize VRM Evaluations
If your current program leaves the vendor review and approval process up to the judgment of individual department heads or executives, it’s time for a change. This approach is vulnerable to bias and introduces risk into your system. Also, case-by-case evaluations are inefficient.
It’s better to standardize vendor evaluations and due diligence with detailed policies, definitions, score requirements, and risk thresholds. All vendors in a certain risk category should be subject to the same certification requirements, audit frequency, and risk mitigation procedures.
This doesn’t mean overlooking the expertise of CISOs for IT contracting or CROs for HIPAA compliance services. It just means that your policy should state who has the authority and responsibility to make decisions, and what metrics they should use for evaluations.
Perform Comprehensive Risk Management
As many a grandparent once said, “If you’re going to do it, do it right.” Surface-level risk assessments aren’t sufficient to keep patient data safe and secure in today’s cyber threat landscape. Don’t just look at obvious risks and vulnerabilities.
How would you rate the vendor risk level of hospital janitorial services? A shallow risk assessment might place this group in the “minimal” or “low” risk category, but that isn’t necessarily accurate.
Can cleaning staff access nurse station terminals or go into restricted areas freely? Only accurate risk assessments let you adopt appropriate mitigations, such as automatic logouts for computer terminals or video surveillance.
This type of in-depth analysis isn’t as complicated as you may think. The key is to get input from a variety of relevant stakeholders. What risks do they see?
Prioritize Vendor Security Qualifications
Cost matters, but it shouldn’t be the overriding factor when selecting healthcare vendors. After all, the average cost of a data breach in healthcare is nearly $10 million. The financial impact of class action lawsuits, reputational damage, and government fines can be even larger. Give cybersecurity, risk management, and regulatory compliance the seriousness they deserve in vendor assessments.
Centralize Healthcare VRM Data Points
Centralized information sharing is a must for healthcare organizations. Decision-makers need to communicate with each other about regulatory updates, vendor issues, security concerns, necessary policy changes, and emerging threats. What one department misses may raise red flags for another because of a broader perspective.
Independent Audits of Primary Vendors
Where feasible, healthcare companies should conduct their own audits of key vendors. SOC 2 Type 2 reports are a good start, but they don’t always tell the full picture when it comes to HIPAA compliance. Your organization may have stricter standards or different priorities based on risk factors.
Don’t Overlook Fourth-Party Risks
Security vendors and other third-party organizations often have their own supply chain. Are your risk assessments designed with fourth-party risk in mind? Include subcontractor questions in any security review or audit.
Perform Recurring Healthcare Vendor Risk Assessments
Some organizations only perform risk assessments during the due diligence phase, but that’s insufficient. Along with monitoring and regular audits, take the time to evaluate vendor risk periodically. The frequency of assessments should correspond to the vendor’s risk rating.
Overcome Obstacles to Vendor Risk Management in Healthcare
Some healthcare organizations struggle with vendor management because they lack the resources, personnel, or expertise to implement an effective framework. VRM platforms and dedicated vendor risk monitoring services are an excellent solution. Compyl helps healthcare organizations create a centralized vendor inventory, automate compliance workflows, and manage audit programs in line with leading risk management frameworks. Contact us to learn more today.
