Intelligence in Compliance
Echelon TPRM vendor risk maturity model

It’s Time for Healthcare to Focus on Vendor Risk Maturity

Cybersecurity breaches in healthcare are more numerous and costly than ever before, and most of them come via the supply chain. For healthcare companies looking to reduce risk associated with vendors and other business partners, a mature third-party risk management program is an imperative. A mature third-party risk management (TPRM) program is also mandatory under HIPAA’s Omnibus rule.

For any healthcare company looking to improve, an assessment of the current TPRM maturity is the best way to start. Here’s more about the numbers, as well as some practical advice on how to get started with a TPRM maturity assessment.

Healthcare Breaches by the Numbers

We all know that healthcare breaches are on the rise. When dissecting the Office of Civil Rights (OCR) HIPAA Data Breach portal, the numbers don’t lie.

A recent Chief Healthcare Executive article reported that 50 million Americans were affected by healthcare data breaches in 2022, costing a reported $10.1 million breach on average according to SC Magazine - almost a $1million more on average than other industries.

Couple this news with the recent Verizon Data Breach Investigation Report (DBIR) that evidences 62% of system compromises came via the supply chain, it’s a simple bet that healthcare organizations appear to be struggling with their own third-party vendor risk management programs.

At the same time, healthcare executives note that it’s becoming increasingly difficult and harder to maintain the bandwidth to regularly monitor their vendors and business associates to ensure they’re handling and securing your data the way you contractually obligate and expect them to.

According to Health & Human Services’ Office of Civil Rights (OCR) HIPAA Data Breach portal, analysis of reported healthcare breaches evidences the following:

  • 70% of the breaches involved healthcare providers
  • 12% of the breaches involved health plans
  • 18% of the breaches involved business associates (i.e., vendors processing PHI)

Drilling down deeper into the data reveals the following breach information affecting business associates:

  • 78% of the breaches were due to hacking or IT incidents
  • 19% of the breaches involved unauthorized access or unauthorized disclosures of data
  • 3% of the breaches were due to either loss of data or theft

While the healthcare sector has reported increased scrutiny from the OCR (i.e., the enforcement arm for HIPAA violations) regarding cyber threat management, the OCR also informed the industry that it is increasing scrutiny surrounding the deployment of third-party risk management (TPRM) programs.

Getting Started with a TPRM Maturity Assessment

TPRM Maturity Assessment Executive Report
See an example: TPRM Maturity Assessment Executive Report

Armed with this data, it’s prudent for healthcare organizations to establish and present a mature vendor risk management program – one that has internal support from the second-line office operations and executive management.

Not only is having a mature TPRM program vital for managing risk with business associates, it’s also mandatory under HIPAA’s Omnibus rule, which holds business associates and their subcontractors directly liable for their own compliance under HIPAA. It’s an indication that covered entities and business associates simply cannot hide behind a signed business associate agreement – all parties must evidence a TPRM program.

To gauge the maturity of a vendor risk management program, an organization needs to either perform a self-assessment of their existing program, or have an independent assessment performed by a qualified assessment professional.

Either way, it’s highly advisable that the assessment be done using The Shared Assessments’ Vendor Risk Management Maturity Model (VRMMM) which explores more than 250 distinct program elements that form the basis of a well-run, third-party risk management program.

This tool, along with the skill of the assessor, identifies the fundamental strengths and gaps in the TPRM program’s various phases such as building, implementation, and optimization of the program. The assessor can then establish maturity metrics that can be compared over time, benchmarked against industry best practices, and integrated with risk ratings in the organization’s overall enterprise risk management program.

The Benefits of a Mature TPRM Program

For healthcare organizations - whether you’re a covered entity or a business associate - an established and maturing TPRM program can provide dividends with your management, business partners, and legal counsel.

For directors in third-party risk, this is incredibly important as you position yourself to help ensure the organization has a picture of the overall security and privacy posture of business associates and other external entities – and a plan to mature it.

Additionally, maintaining identification and documentation of these critical relationships and processes ensures the TPRM program is on parity with governance and compliance initiatives.

The Bottom Line

While the risk of a data breach with health information can never be eliminated, having a sound and ever-maturing vendor risk management program can help reduce the risk from outsourcing.

Learn more about our Third Party Risk Management Maturity Assessments for the healthcare industry.

Sign up to get Cyber Intelligence Weekly in your inbox.