• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Life Sciences
  • Investments
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage

Stronger Together: A Remedy to Third-Party Cyber Risk in Healthcare

by Taylor Davis of KLAS and Ed Gaudet of Censinet. 08/18/2021 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print
  • Ed Gaudet is CEO and Founder of Censinet
  • Taylor Davis is Executive Vice President of KLAS Research

Controlling healthcare costs while delivering faster and better patient care is predicated upon the secure digitization and distribution of health information, from clinicians to medical devices to EMR and EHR systems, and more. The healthcare blueprint looks and operates much differently from what’s built for other industries, with vendors and other third parties supplying most of the components that make up today’s healthcare provider infrastructure. It’s increasing the attack surface area, which includes susceptibility to data breaches, vulnerability to ransomware, and attacks on medical devices.

Given the increase in ransomware attacks, it’s no surprise that cyber insurance rates are up by 50% or more, with coverages, deductibles, and CAPs tightening. The Wall Street Journal recently reported that more than 200 hospitals were victims of ransomware attacks resulting in over $100 million in extortion payments. Meanwhile, a leading healthcare CISO shared that patient records now garner $1,000 each on the dark web, more than 100 times that of other personal information. And now, lawsuits against those breached are the new plague. It’s time that the healthcare industry rethinks its overall approach to protecting patient data and care.

The path to managing cybersecurity and minimizing data breaches and ransomware requires rewriting how we conduct and manage risk assessments, assembling correct device and data inventories, facilitating risk-reducing change management, and working across departmental boundaries. An enterprise view of cyber and other risks needs to be considered; current silos must be consolidated and coordinated. Understaffed teams and limited industry-specific tools only make the process of healthcare risk management more complex. Risk management and operational consolidation of it becomes a must-have moving forward. The merger of operational and cyber risk across departments such as IT, BioMed, supply chain, research and IRB, and GRC enables a more streamlined and efficient approach overall.  

Consequently, understanding the risk posture of healthcare organizations with their vendor and business associate ecosystem is no trivial task. A recent independent study of nearly 600 healthcare delivery organizations discovered that the average organization has about 2,000 vendor relationships, many of which have not been assessed for vendor risk. Why? Some organizations were not sure which vendors to assess because it’s unclear where PHI and other critical information reside. Some assessments didn’t align with what a vendor does because the wrong questions were being asked. The study also found that antiquated tools, such as spreadsheets and text documents, lack the intelligence and integrated workflows to address the unique demands of healthcare. In addition, the study found that providers hold an errant misconception that adopting a modern approach to vendor risk management requires more resources.

Meanwhile, the average healthcare organization is increasing its vendor and business associate footprint by about 30% per year, further increasing the attack surface area and their enterprise vulnerability. Some providers, as a stopgap, are opting to assess new vendors, all while the proverbial vendor risk fox is already in the PHI henhouse.

We’ve been collectively looking at ways to reduce the vulnerability and growing healthcare cyber risk surface area to determine what actions are necessary to increase the coverage and protection. This doesn’t imply adding more risk analysts; it means changing our approach to vendor and third-party risk management within the healthcare industry. We need to change the economics of expanding the risk coverage area if we’re going to solve the healthcare cybersecurity risk problem. We just don’t have a choice. 

We must understand and measure the aggregate vendor risk position while helping vendors effectively address their vulnerabilities. Vendors need to know how their cybersecurity readiness is a significant pillar in their provider customers providing effective patient care. We must also work together as a community. Hackers and other nefarious actors are joining forces and attacking vulnerable, siloed healthcare organizations. It’s well past due that both providers and vendors need to work together as a community to share processes and appropriate information to successfully counter the ever-increasing and sophisticated attacks.

In addition, we must treat vendor and third-party risk management as a critical, cross-functional operational process, not as a departmental task list. Displacing disparate spreadsheets and text documents by automated, intelligent platforms is the foundational starting point for effective risk management. 

The role of vendors and third parties in the healthcare patient care chain will continue to increase. But unless our approach to risk management changes, the attempt to deliver top-notch patient care by adding more essential products and services may be what puts it most at risk. 

Fortunately, we can fix this, but we must do it together. 


Ed Gaudet is CEO and Founder of Censinet and can be reached at egaudet@censinet.com. Taylor Davis is Executive Vice President of KLAS Research and can be reached at taylor.davis@klasresearch.com.

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tagged With: KLAS, risk

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Interview

Reach7 Diabetes Studios Founder Chun Yong on Reimagining Chronic Care with a Concierge Medical Model

Most-Read

HHS Finalizes HTI-4 Rule: Prior Authorization & E-Prescribing Interoperability

HHS Finalizes HTI-4 Rule: Prior Authorization & E-Prescribing Interoperability

Meaningful Use Penalties_Meaningful Use_Partial Code Free_Senators Urge CMS to Establish Clear Metrics for ICD-10 Testing

CMS Finalizes TEAM Model: A New Era of Value-Based Surgical Care

White House Event Unveils CMS Health Tech Ecosystem Initiative

White House Event Unveils CMS Health Tech Ecosystem Initiative

Digital Health Faces Q2'25 Pullback: Funding Falls to 5-Year Low, But AI Dominates and $1B+ IPOs Emerge

Healthcare Investment Shifts in 1H 2025: AI Remains a Bright Spot Amidst Fundraising Decline

Digital Health Faces Q2'25 Pullback: Funding Falls to 5-Year Low

Digital Health Faces Q2’25 Pullback: Funding Falls to 5-Year Low

Beyond the Hype: Building AI Systems in Healthcare Where Hallucinations Are Not an Option

Beyond the Hype: Building AI Systems in Healthcare Where Hallucinations Are Not an Option

Health IT Sector Navigates Policy Turbulence with Resilient M&A

Health IT’s New Chapter: IPOs Return, Resilient M&A, Valuations Rise in 1H 2025

PwC Report: US Medical Cost Trend to Remain Elevated at 8.5% in 2026

PwC Report: US Medical Cost Trend to Remain Elevated at 8.5% in 2026

Philips Launches ECG AI Marketplace, Partnering with Anumana to Enhance Cardiac Care with AI-Powered Diagnostics

Philips Launches ECG AI Marketplace, Partnering with Anumana to Enhance Cardiac Care with AI-Powered Diagnostics

WeightWatchers Emerges from Bankruptcy, Launches New Menopause Program

WeightWatchers Emerges from Bankruptcy, Launches New Menopause Program

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |