Obtaining Buy-In for Your Third-Party Risk Management Program

Third-party risk management breaches have been snowballing in recent months with no clear end in sight. However, too many healthcare organizations have maintained a status quo approach to their Third-Party Risk Management (TPRM) and Vendor Risk Management (VRM) programs.

As the saying goes, “insanity is doing the same thing over and over and expecting different results”. It’s time for healthcare entities to make major investments in the people, process, and technology required to meaningfully reduce risks introduced by third-party vendors. Those investments often require the buy-in of multiple stakeholder groups within the organization in order to release the funding and political will power necessary to effectively address third-party risk management.

This blog provides recommendations for delivering messaging to key stakeholder groups within healthcare entities to make the business case for further investments in third-party risk programs.

Boards & Steering Committees

The good news is that most healthcare boards in 2022 have some degree of awareness of third-party risks as a result of the litany of stories peppering the news for supply chain breaches. However, awareness does not always translate into funding and prioritization.

Here are some key messages to help convey the urgency and necessity of investing in third-party risk programs:

• Provide a summary of recent third-party vendor breaches including those that have impacted organizations similar to your own or that have been “near misses” for your own organizations. Examples in 2021-2022 may include Microsoft Exchange and Office 365, Kaseya, SolarWinds, Kronos, Accellion, Log4j, etc. CORL publishes a recurring blog series which highlights the most-recent healthcare third-party risk breaches that can serve as a useful input to these discussions. Here are some recent examples that can be leveraged for your discussions:

• • CORL Vendor Breach Digest – January 2022
  • CORL Vendor Breach Digest – December 2021
  • CORL Vendor Breach Digest – November 2021
  • Webinar Replay | Weakest Links in the Supply Chain: 2021 Healthcare Vendor Breach Review

• Highlight the impact to operations and patient safety. The healthcare industry has moved critical business and clinical operations to the cloud and third-party platforms including Electronic Health Records, finance and billing systems, and more. This means that vendor breaches are less and less about compliance exposures and are instead being driven by the desire to limit impacts to the availability and integrity of these essential systems used for the routine delivery of care.
  –
• Quantify the financial impact. The costs of healthcare breaches are well documented. Leverage statistics and the latest financial loss figures to make the case for the multi-million-dollar cost of breach events and highlight the high volume of breaches that are caused by third-party vendors. Here are some good resources for quantifying healthcare breach costs:

• • INFOGRAPHIC | When It Rains, It Pours: Healthcare Ranks #1 in Breach Costs
  • BLOG POST: Healthcare Takes It on the Chin with Supply Chain Breaches

• Connect the dots on sources of ransomware infections. Ransomware infections can result from direct attacks on healthcare organizations or can result from attacks on third-party vendors that maintain network connections to healthcare entities. Even if healthcare organizations are not targeted directly, the downtimes and outages of strategic third-party vendors can have devastating consequences to business operations, patient safety, and financials.
  –
• Explain potential HIPAA compliance and regulatory exposures. Federal and state governments have been turbo charging the drafting of regulations for third-party risk management in recent months. This activity comes on the heels of several years of HIPAA Security Rule enforcement focus on business associates from the Office for Civil Rights (OCR). The following resources can help you outline the emerging regulations and penalties for non-compliance for third-party risk.

• • INFOGRAPHIC: Supply Chain Rocks! New Bills and Regulations Emerge
  • BLOG POST | Regs on the Radar: Emerging Supply Chain Regulations & Standards
  • ARTICLE: Defending Against Software Supply Chain Attacks, CISA and the National Institute of Standards and Technology (NIST)
  • ARTICLE: America’s Supply Chains: A Presidential Document by the Executive Office of the President
  • ARTICLE: Improving the Nation’s Cybersecurity: A Presidential Document by the Executive Office of the President

• Highlight emerging trends in third-party risk management. Leverage resources including the following summarized trends and predictions for TPRM this year to provide context for your requests for financial and other support.

• • INFOGRAPHIC: Top 10 Healthcare Vendor Risk Management Predictions for 2022
  • WEBINAR REPLAY: Plan Your Defensive Strategy Heading into the New Year
  • NEWS ARTICLE & VIDEO INTERVIEW: Health Systems Need New Approach to Managing Threat Posed by Third-Party Vendors

CIOs and CISOs

In addition to the points provided above for board and committee-level stakeholders, the following considerations and talking points can be leveraged with CIO and CISO stakeholders to obtain support and buy-in for your TPRM program.

• Free up security teams through TPRM automation, workflow optimization, and managed services. TPRM teams cannot keep up with the volume of vendors assessments. Constraints on human capital for cybersecurity and TPRM programs have never been higher. Security teams are spending too much time on vendor risk data collection, communicating and hounding vendors, and producing reports rather than focusing on true risk management activities. Investments in TPRM automation, workflow, and managed services can improve the quality of assessment data and remediation results and free up security teams to work on other high-priority initiatives.
• Improve availability of critical systems. Third-party vendor breaches can introduce devastating outages to critical business functions and systems for weeks and months on end. The ability to keep business continuity flowing depends on developing a robust TPRM program that can evaluate risk up front, take meaningful action on vendor selection and remediation, and reduce the likelihood and impact of vendor-related downtime.
• Reduce turnaround times for assessments. Investments in automation, workflow, and managed services can reduce turn-around for third-party risk assessments from weeks to days

Compliance & Legal Counsel

Third-party vendors have access to staggering amounts of sensitive information including Protected Health Information (PHI). Vendor breaches can introduce material legal and compliance consequences for healthcare entities. Some examples of regulatory, compliance, and legal impacts may include:

• HIPAA Security Rule compliance
• Office for Civil Rights (OCR) enforcement for business associate compliance
• Class action lawsuits
• State regulations
• Global regulations including GDPR
• Cyber liability coverage and premiums

The following resources can help you outline specific legal and compliance challenges, costs, and remedies for third-party risk management:

• • INFOGRAPHIC | Legal Defense Against the Dark Arts: Battling Supply Chain Breaches
  • BLOG POST: Healthcare’s Gamble with Business Associate Breach Risks
  • BLOG POST: Legal Accountability Mounts for Supply Chain Breaches
  • WEBINAR REPLAY: Proposed Modifications to the HIPAA Privacy Rule | Key Points and Lessons Learned from History
  • PODCAST: Who is Responsible for Securing the Supply Chain? Managing Liability for Supply Chain Attacks

Procurement

Lengthy vendor security reviews are costing businesses time and money and generating frustration on all sides. Third-party risk management teams are unable to keep pace with the break-neck speed at which business operates.

As a result, Security teams can often be viewed as an obstruction to the business and procurement cycles. Key messaging to procurement stakeholders should explain how investments in your third-party risk management capabilities will increase throughput and speed so the business can operate with minimal friction from vendor security risk assessments.

Here are some specific points to make with procurement stakeholders:

• Reduce turnaround times for assessments. Investments in automation, workflow, and managed services can reduce turn-around for third-party risk assessments from weeks to days
• Show the stats. Here are some example statistics for typical third-party risk management program performance:
  • 5-10 business days is the most common target time frame to complete vendor risk assessments
  • 20-40 business days is the median time for actual vendor risk assessment completion
  • 5,800+ is the average number of third-party vendors used by a typical enterprise
  • 15,000 hours a year is the amount of time third-party vendors spend completing security assessments
  • 1 in 5 vendors pose a high inherent risk and potential for material impact to the business

A good resource to reference when speaking with procurement stakeholders is CORL’s infographic: The Need for Speed in Vendor Risk Assessments.

CORL Can Help: Let Us Help You Craft and Deliver Your Messaging

You are not alone. CORL’s team of third-party risk management experts can help you obtain buy-in across the organization for your TPRM program. Here are some points that can be shared to help qualify our opinion and help you gain support for your TPRM program:

• Data Reuse and TPRM Assessment Exchange

  • CORL has already assessed over 80,000 healthcare vendors
  • Assessment data reuse delivers rapid assessment turnarounds
  • Validated third-party risk assessment data provides risk results that you can trust without further follow up with vendors

• Automation

  • CORL’s vendor portal and automated workflow accelerate assessment data collection, analysis, and reporting
  • Automation allows CORL to scale assessments to cover your full vendor portfolio

• Workflow & Process

  • CORL’s inherent risk intelligence for vendor types, tiering and prioritization, and remediation follow up accelerate vendor risk management cycles

• Technology Integration

  • CORL integrates with technology solutions including GRC platforms, scorecards, and other solutions to get the right information in the right format to drive quick risk decisions

• Managed Services

  • CORL’s elite team of specialized third-party risk management professionals get results in rapidly assessing vendors and driving them to remediate known risks
  • CORL delivers best practices for third-party risk management that are optimized for speed and efficiency

Third-party risk management exposures are not going away any time soon. Hopefully these talking points can help you get the necessary conversations moving forward to obtain buy-in for investments in your third-party risk management program.

Contact our team here at CORL to learn more about our managed services and next generation exchange for healthcare vendor risk data that gets results and lowers third-party risks.