Healthcare organizations manage an almost unimaginable amount of sensitive data, and industry experts say they aren’t doing enough to protect it.
For their 2015 Vendor Risk Management Benchmark Study, The Shared Assessments Program surveyed nearly 500 professionals for insight into risk management practices across various industries. The findings show that healthcare organizations come up short when implementing and maintaining a vendor risk management process. Perhaps the largest gap in healthcare organizations is third-party contract management; healthcare scored lower than all other industries in the following five areas:
- We have regulatory required standards for mandatory contract language/provisions
- We have IT/security-required standards for mandatory contract language provisions
- We have a procedure to review existing contracts for compliance with current contract standards
- We have a remediation process to correct contract deficiencies
- We have a process to ensure inclusion of appropriate performance-based contract provisions (SLAs, KPIs, KRIs, etc.)
These areas – like many relating to contract management, vendor management, and risk management as a whole – are essentially governance activities. They ensure that the correct standards, procedures, policies, or remediation processes are in place and closely monitored. Moreover, the requirements illustrate the cross-functional nature of contract governance, involving IT, compliance, and often business continuity groups as well. With so many silos involved, it’s clear that healthcare organizations fall short when it comes to reaching across departments to solve enterprise challenges.
The good news is that the expertise necessary to solve these problems is already in house. Through their existing risk, compliance, and information security teams, healthcare organizations already have a thorough understanding of regulations like HIPAA, OSHA, and NIST. What is missing is the ability to document each employee’s subject matter expertise in a way that can be shared with the vendor and contract management, so that third party requirements can be explicitly linked with the regulatory responsibilities of other functions. This type of information management requires a risk taxonomy to standardize communication between departments.
Integrating various governance areas with an enterprise risk management program carries significant benefits. Take the example of Boston Medical Center, who in 2014 cut ties with vendor MDF Transcription. This third-party vendor had posted the health records of 15,000 patients and failed to secure it with even simple password protection. This was BMC’s first breach involving 500 or more patients, indicating that they had adequate internal protections, but issues when it came to sharing sensitive information with third parties that failed to meet the same standard.
Boston Medical Center’s case is not necessarily unique, unfortunately, as up to 64% of all HIPAA breaches involve third party business associates. Had Boston Medical Center been using an ERM platform to track their own HIPAA compliance and the compliance of each of their vendors, including MDF Transcription, they could have identified the weak link and prevented the breach.