• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • COVID-19
  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • Artificial Intelligence
    • Blockchain
    • Mobile Health
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

Stronger Together: A Remedy to Third-Party Cyber Risk in Healthcare

by Taylor Davis of KLAS and Ed Gaudet of Censinet. 08/18/2021 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print
  • Ed Gaudet is CEO and Founder of Censinet
  • Taylor Davis is Executive Vice President of KLAS Research

Controlling healthcare costs while delivering faster and better patient care is predicated upon the secure digitization and distribution of health information, from clinicians to medical devices to EMR and EHR systems, and more. The healthcare blueprint looks and operates much differently from what’s built for other industries, with vendors and other third parties supplying most of the components that make up today’s healthcare provider infrastructure. It’s increasing the attack surface area, which includes susceptibility to data breaches, vulnerability to ransomware, and attacks on medical devices.

Given the increase in ransomware attacks, it’s no surprise that cyber insurance rates are up by 50% or more, with coverages, deductibles, and CAPs tightening. The Wall Street Journal recently reported that more than 200 hospitals were victims of ransomware attacks resulting in over $100 million in extortion payments. Meanwhile, a leading healthcare CISO shared that patient records now garner $1,000 each on the dark web, more than 100 times that of other personal information. And now, lawsuits against those breached are the new plague. It’s time that the healthcare industry rethinks its overall approach to protecting patient data and care.

The path to managing cybersecurity and minimizing data breaches and ransomware requires rewriting how we conduct and manage risk assessments, assembling correct device and data inventories, facilitating risk-reducing change management, and working across departmental boundaries. An enterprise view of cyber and other risks needs to be considered; current silos must be consolidated and coordinated. Understaffed teams and limited industry-specific tools only make the process of healthcare risk management more complex. Risk management and operational consolidation of it becomes a must-have moving forward. The merger of operational and cyber risk across departments such as IT, BioMed, supply chain, research and IRB, and GRC enables a more streamlined and efficient approach overall.  

Consequently, understanding the risk posture of healthcare organizations with their vendor and business associate ecosystem is no trivial task. A recent independent study of nearly 600 healthcare delivery organizations discovered that the average organization has about 2,000 vendor relationships, many of which have not been assessed for vendor risk. Why? Some organizations were not sure which vendors to assess because it’s unclear where PHI and other critical information reside. Some assessments didn’t align with what a vendor does because the wrong questions were being asked. The study also found that antiquated tools, such as spreadsheets and text documents, lack the intelligence and integrated workflows to address the unique demands of healthcare. In addition, the study found that providers hold an errant misconception that adopting a modern approach to vendor risk management requires more resources.

Meanwhile, the average healthcare organization is increasing its vendor and business associate footprint by about 30% per year, further increasing the attack surface area and their enterprise vulnerability. Some providers, as a stopgap, are opting to assess new vendors, all while the proverbial vendor risk fox is already in the PHI henhouse.

We’ve been collectively looking at ways to reduce the vulnerability and growing healthcare cyber risk surface area to determine what actions are necessary to increase the coverage and protection. This doesn’t imply adding more risk analysts; it means changing our approach to vendor and third-party risk management within the healthcare industry. We need to change the economics of expanding the risk coverage area if we’re going to solve the healthcare cybersecurity risk problem. We just don’t have a choice. 

We must understand and measure the aggregate vendor risk position while helping vendors effectively address their vulnerabilities. Vendors need to know how their cybersecurity readiness is a significant pillar in their provider customers providing effective patient care. We must also work together as a community. Hackers and other nefarious actors are joining forces and attacking vulnerable, siloed healthcare organizations. It’s well past due that both providers and vendors need to work together as a community to share processes and appropriate information to successfully counter the ever-increasing and sophisticated attacks.

In addition, we must treat vendor and third-party risk management as a critical, cross-functional operational process, not as a departmental task list. Displacing disparate spreadsheets and text documents by automated, intelligent platforms is the foundational starting point for effective risk management. 

The role of vendors and third parties in the healthcare patient care chain will continue to increase. But unless our approach to risk management changes, the attempt to deliver top-notch patient care by adding more essential products and services may be what puts it most at risk. 

Fortunately, we can fix this, but we must do it together. 


Ed Gaudet is CEO and Founder of Censinet and can be reached at egaudet@censinet.com. Taylor Davis is Executive Vice President of KLAS Research and can be reached at taylor.davis@klasresearch.com.

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tagged With: KLAS, risk

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Knowledge Hub

 How Top Health Plans Use AI to Save Money and Work Smarter How Top Health Plans Use AI to Save Money and Work Smarter

 How to Build Hybrid Care Models Around Remote Patient Monitoring How to Build Hybrid Care Models Around Remote Patient Monitoring

Trending

Rethinking Big Data in 2024: How Healthcare Can Leverage Workforce Intelligence to Improve Care

Rethinking Big Data in 2024: How Healthcare Can Leverage Workforce Intelligence to Improve Care

Qualtrics and Epic Partner for Integrated Data-Driven Experience

Qualtrics and Epic Partner for Integrated Data-Driven Experience

CVS Rebrands Health Services Segment, Launches Model for Retail Pharmacy Reimbursement

CVS Rebrands Health Services Segment, Launches Model for Retail Pharmacy Reimbursement

Clover Health Exits CMS ACO REACH Program to Focus on Medicare Advantage

Clover Health Exits CMS ACO REACH Program to Focus on Medicare Advantage

Cigna to Acquire Express Scripts for $67B: 5 Things to Know

Cigna and Humana Merger Talks Could Face Antitrust Scrutiny

RNSA23: Cleveland Clinic and Canon Partner to Pioneer Next-Gen Imaging Technologies

RSNA23: Cleveland Clinic and Canon to Establish Comprehensive Imaging Research Center

Automating Implant Orders: A Turning Point in Healthcare’s Digital Transformation

Automating Implant Orders: A Turning Point in Healthcare’s Digital Transformation

Consumers Believe Generative AI Can Revolutionize Healthcare

71% of Consumers Believe Generative AI Can Revolutionize Healthcare

NCQA Launches Virtual Care Accreditation Pilot

NCQA Launches Virtual Care Accreditation Pilot

Novant Health Acquires Three Tenet Hospitals in South Carolina for $2.4 Billion

M&A: Novant Health Acquires 3 Tenet Hospitals in South Carolina for $2.4B

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • 2023 Editorial Calendar
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2023. HIT Consultant Media. All Rights Reserved. Privacy Policy |