Manage third-party risk more effectively

As of late, cyberattacks have reached an all-time high in the healthcare industry. In July of 2022, a cyberattack and data breach at a healthcare organization resulted in a $100 million loss in revenue,1 and according to U.S. government data, in 2022, healthcare breaches are rising significantly.2

Because of this, third-party risk management (TPRM) is more important than ever for your healthcare organization. TPRM programs can help healthcare organizations address issues such as cybersecurity, reputation protection, patient trust preservation and more.

The first step: Identify your vendors

The first step in implementing a TPRM program is to identify all your vendors and the products or services they provide to your healthcare organization or your patients. Your Accounts Payable department can provide a vendor list, since they have records of all companies, entities and consultants billing your organization.

Make sure your high-risk vendors are identified and prioritized. Typically, these vendors require access to confidential patient data to provide a product or service. Due to HIPAA rules, these vendors will become known as Covered Entities or Business Associates. Once you’ve established your vendor inventory, you’re one step closer to managing third-party risks effectively.

Implement a TPRM program through the TPRM lifecycle

The next step is to implement a strong TPRM program. The best method for implementing such a program is to follow the TPRM lifecycle stages and activities. Using the third-party risk management lifecycle as a guide, your organization can minimize vendor risk by ensuring the right risks are identified, assessed and managed at the right time.

The TPRM lifecycle encompasses the following stages:

  • Planning & risk assessment – Determine inherent risk and criticality. Inherent risk is risk present as part of the relationship by default and is assessed without considering future precautions or controls. A vendor’s criticality refers to the impact on the business should the vendor cease to operate.

         You can easily determine criticality with three questions:

         If you answered “yes” to any of those questions, you have a critical vendor!

  • Reassessments – Periodically re-review vendor engagement to look for changes in their level of risk, including new or emerging risks. Conduct periodic risk assessments (e.g., annually for critical and high-risk vendors, every 18 months for moderate-risk vendors and every two to three years for low-risk vendors). Once the risks of the relationship have been reevaluated, reach out to the vendor for refreshed documents and information to validate the current risk levels. Any changes must be documented and managed appropriately.
  • Due diligence – Since due diligence isn’t a one-and-done activity, recurring due diligence should always be part of third-party risk management. As vendor risk can evolve over time, regular due diligence reviews should be scheduled annually, at a minimum. However, special circumstances may require reviews to be conducted more often, such as before a contract renewal, if there are performance issues or if there’s a regulatory change.
  • Monitoring & performance – Ongoing risk and performance monitoring will ensure that the vendor is still providing quality products/services and that their risk level remains relatively consistent. This includes tracking service level agreements and remaining aware of any identified issues.
  • Renewals – Before contract renewals, reassess the terms and provisions to determine if any negotiations are needed. As negotiation can take a while, do this well ahead of renewal. A consistent and continuous vendor dialogue is key to ensure that everyone is on the same page regarding performance, service level gaps, meeting specific requirements and other processes.
  • Termination – Notify the vendor of contract non-renewal.
  • Exit plan execution – Follow the exit plan, ensuring that your vendor meets all responsibilities and obligations such as data destruction or return, while at the same time, your healthcare organization is taking appropriate next steps.
  • TPRM closure – Once the exit plan is completed, wrap up any final steps needed to formally end the relationship such as reviewing and paying final invoices. Make sure all relevant vendor information is appropriately organized and archived. Remember that you may need to access this data in the future for a regulatory exam or audit.

As the three stages occur, oversight and accountability, documentation and reporting, as well as independent review, also support and guide the TPRM lifecycle. This means that roles are established and defined, including who will oversee the program and process, and that there are governance documents that define the process, including policies and procedures. Internal audit teams should also assess the program periodically to determine if it meets expectations or if it requires improvement.

Whatever the industry, establishing a solid TPRM process and strong program management and oversight roles is essential. Well-written and accessible program policies and procedures that follow the TPRM lifecycle stages and activities will help your organization successfully manage its vendor risk.

To learn more about TPRM, visit Venminder’s resources library and blog.


Source: Read Full Article