Panelists discussed top third-party risk management challenges and best practices at the HealthITSecurity Virtual Summit.
Health-ISAC quote:
“Vendor partners often operate in multiple sectors, so they don’t always have an appreciation for HIPAA, and HIPAA is complex,” added Phil Englert, Health-ISAC’s director of medical device security.
– Third-party risk management (TPRM) remains a significant challenge for healthcare organizations of all sizes, as exemplified by the high volume of third-party data breaches reported to HHS in 2022.
As healthcare organizations continue to expand their network of vendors, existing TPRM strategies are falling short, experts at the 3rd Annual HealthITSecurity Virtual Summit articulated during a panel session.
“Our teams are not only being asked to know, internally, what our risks are and how to address them, but now we’re asking them to know what our partner’s risks are and how specifically to address them in our space, which is considerable,” said Monique Hart, chief information security officer and executive director of information security at Piedmont Healthcare.
“Today, we are looking at poor assessment strategies that don’t support actual remediation, long inefficient turnaround times, questionnaires that aren’t tailored to the specific environment, inconsistent results from analyst over-reliance on technology or external data, and maybe ineffective, inefficient vendor customer communication. That brings a whole lot of challenges.”
Solving these problems is not easy. That was the consensus from Hart and co-panelists Dee Young from UNC Health, Phil Englert from Health-ISAC, Inc., and Ryan Blaney from law firm Proskauer. Throughout their discussion about TPRM obstacles, the experts offered several best practices for maturing the TPRM process that healthcare organizations can begin adopting today.