During a recent webinar that SureCloud’s North America GRC team hosted, ‘Why Your Vendors Are Your Biggest HIPAA Risk’, we asked attendees why they thought Vendor Risk Management Practices haven’t matured in the healthcare industry the way they have in other sectors, such as financial services or retail. Here is how the responses were ranked:
- 58% – Leadership is unaware of the risks
- 22% – Lack of audit/penalty enforcement
- 15% – Lack of resources internally
- 5% – Lack of expertise internally
Leadership is Unaware of the Risks
The response data shows that most of our attendees believe healthcare leaders are unaware of the risks that vendors pose to their practice and patients. Something to consider in response to this is how risk information is currently being communicated to management. As risk professionals, it’s often our job to frame risk in a way that will motivate our leaders to take or approve the appropriate mitigation action. Vendor risk is no exception. Being able to effectively quantify the security and privacy risk that a third party introduces to your practice and your patients is the first step. Technology solutions can help standardize how vendors are assessed and scored. That data can then be modeled using reports and dashboards to help you tell a visual story of risk and potential exposure to the organization.
Lack of Audit/Penalty Enforcement
Second place goes to lack of audit occurrences or penalty enforcements from the OCR. While it’s true that OCR audits are on the decline and fines have been cut significantly, this response highlights the compliance-oriented nature of many healthcare security and privacy programs–often at the expense of effective risk management. In fact, this deregulation inherently increases the risk to providers, payers, and patients. If your vendors know that the OCR isn’t going to come knocking on their door to audit and impose fines anytime soon, chances are they might not be prioritizing the security and privacy of your patient’s ePHI. All the more reason for you to strengthen your vendor assessment techniques–and your business associate agreements!
Lack of Resources & Expertise
Finally, lack of resources and expertise join forces to form the final culprit that 30% identified as roadblocks to effective vendor management. These can be tough to overcome without the right tools to support the organization. With hundreds of vendors & business associates, the vendor management process can become overwhelming for many healthcare institutions–especially those short on resources and expertise. This is where an intelligent, automated third-party risk management workflow solution like SureCloud can be an absolute game-changer. With standard question sets and risk calculation, expertise can be built into the solution and administered by virtually anyone. Automating the coordination of assessments, remediation actions, and risk communication to the business ensures that your organization’s limited resources aren’t slowed down with the manual administrative minutia.
If you’re ready to take your third-party risk management process to the next level and kick spreadsheets to the curb, contact me for a demo of SureCloud’s Third-Party Risk Manager solution at ben.dalton@surecloud.com or contact@surecloud.com.
Missed the webinar? Watch it on demand for FREE here.