The inability to adequately assess and understand the risks that vendors pose is becoming incredibly costly to healthcare providers, according to a new REPORT by Censinet and the Ponemon Institute.
Healthcare organizations are struggling to prevent or mitigate the severity of a third-party or vendor-related data breach. However, as shown in the report, current approaches to assessing and managing vendor risks are failing. Problems with current approaches to third-party risk management are creating a real economic impact as these organizations are seeing an increase in US HHS and OCR fines and investigations.
The following are some of the reasons why third-party risk management programs are failing in healthcare:
* The lack of automation and reliance upon manual risk management processes makes it difficult to keep pace with cyber threats and the proliferation of digital applications and medical devices used in healthcare.
* Vendor risk assessments are time-consuming and costly so few organizations are conducting risk assessment of all their vendors. Currently, an average of 3.21 full-time employees are fully dedicated to completing vendor risk assessments and they spend an average of 513 hours monthly to complete these assessments. This represents approximately 10 percent of the total hours expended on third-party supply chain activities.
* The indirect and direct costs of third-party risk management for the healthcare industry averages $23.7 billion annually.
* Critical vendor management controls and processes are often only partially deployed or not deployed at all. If controls and processes are deployed, they are not considered very effective in reducing third-party risks.