Third-party risk programs in healthcare lack maturity, which puts data at risk, according to a report from the Shared Assessments Program and Protiviti, a global consulting firm.
As cyberthreats become more sophisticated, many healthcare organizations are not prepared to manage their own security, let alone that of their business associates, according to an announcement on the report. Effective vendor management requires the same due diligence with third parties that they apply to their own incident response plans.
The survey included 450 C-suite executives, risk management and audit professionals across a range of industries, including healthcare.
In its second year, those polled said they had gained a greater understanding of vendor risk over the past year, which the authors attribute to the number of high-profile data breaches involving vendors, as well as the release of new regulatory guidance over the past two years, including the NIST Cybersecurity Framework.
It also found greater momentum for building stronger vendor risk management programs, including being on the agenda for boards of directors. However, it cites a lot of work yet to be done.
Among the findings:
- The overall maturity rating for program governance across industries is 2.8 on a 5-point scale
- Financial services organizations' risk-management programs are more mature compared to companies in insurance, healthcare and other industries
- Organizations that outsource critical services have varying levels of maturity cross-industry and vendors are not in alignment with their data safeguards and security policies and procedures
Healthcare ranked lower than other industries in many areas, including evaluating key risk and performance indicators in management and board reporting; having IT/security-required standards for mandatory contract language; having a process in place to track and communicate incidents; and more.
Alan Friel, a privacy attorney with BakerHostetler, recently offered tips for addressing key legal and business issues in contracts, including the advice to clarify which party is responsible under what circumstances for what liability and harm.