Would you leave unprotected data on a laptop somewhere outside your organization? Would you allow a third-party vendor to do the same without your knowledge? If the answer is no— and we hope it is—you need a comprehensive vendor risk management strategy. This fundamental guide walks you through definitions, strategies, roadblocks and solutions to build a strategy that works for your organization.
What is vendor risk management?
At its most basic level, vendor risk management is the process by which organizations assess and manage security risks of any third-party vendor.
Gartner’s definition reads: “Vendor risk management (VRM) is the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance.”
Organizations simply cannot perform every single task, or employ every single technology, in-house. To focus on core competencies, they must outsource some operational activities to third-party vendors. But, those third-party vendors must be business partners who can protect the operations, information and technology of their customers. While third-party vendors should perform due diligence for this purpose, the burden is on the customer to ensure every single vendor is adhering to agreed-upon standards of security and protection.
Why is vendor risk management critical for healthcare organizations?
With federal regulatory requirements on privacy and security of protected healthcare information (PHI), healthcare organizations have an obligation to protect their own operations and information, along with that of contracted vendors that have access to PHI.
Unfortunately, contracted vendors haven’t always been responsible in their handling of PHI, resulting in a rise in healthcare breaches. At the same time, healthcare organizations, called covered entities (CEs), were signing contracts with outside vendors without an understanding or awareness of each vendor’s risk profile. Because vendor risk management did not exist, federal regulations (HIPAA and HITECH) evolved over the years to include third-party vendors and business associates (BAs).
Think of BAs as an extension of your hospital or facility—as another location of PHI. BAs are just as vulnerable to breach as your internal operations and should have the same stringent controls.
Recent updates to OCR audit protocols now require CEs to be responsible for the controls that their BAs have in place on behalf of the CE. This is an imperative—healthcare organizations must understand the vulnerabilities and controls in place for each contracted vendor. Why? The privacy and security of PHI is still the responsibility of the CE, regardless of where that information lives.
The biggest challenge for CEs is that vendor risk management is incredibly high volume. Even a small hospital could have over 100 business associate agreements (BAAs). And, that does not include downstream BAs—when the BA has its own BAs that also need to be assessed and managed.
What is the difference between third-party vendors and business associates?
Every BA is a third-party vendor, but not every third-party vendor is a BA, meaning not all vendors access or use PHI.
According to the U.S. Department of Health & Human Services (HHS), a “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. There are three types of business associates, those who:
- Store PHI
- Transmit PHI
- Use PHI
TYPES OF BUSINESS ASSOCIATE FUNCTIONS AND SERVICES
- Claims processing
- Data analysis
- Quality assurance
- Benefit management
- Information technology
- Electronic health records
- Medical devices
Many times, a BA can be a combination of two or all three. Each BA is considered on a level of low to high risk, based on the level of interaction with PHI. For example, a housekeeping vendor is considered low risk, while an electronic medical record (EMR) vendor is considered high risk.
What types of healthcare facilities should have a vendor risk management strategy?
Every type of healthcare provider, or CE—including multi-facility health systems, physician practices, nursing homes, clinics, surgery centers and more—should have a strategy in place for vendor risk management
Any type covered entity needs a vendor risk management strategy, regardless of its size or the number of BAs. A vendor risk management strategy is potentially more important for smaller organizations that may be unaware of the complexities of HIPAA and the risk profiles of their BAs.
What does a comprehensive vendor risk management strategy include?
A comprehensive vendor risk management strategy is cyclical and includes six main components:
- Define/Update Protocols
- Take Inventory
- Perform Audit
- Perform Risk Analysis
- Create Action Plan
To know how and what to assess, a CE needs to first establish its own security and risk protocols. Define, agree on and document those protocols to provide a primer for BA assessment. These internal protocols should be reviewed consistently as part of an ongoing vendor risk management strategy to account for any updates or changes, either in the use of technology or in regulatory requirements.
Not surprisingly, many CEs do not have a complete inventory of all the BAs that provide services. Again, sheer volume is a factor. Countless BAAs can be scattered throughout different departments in a single organization.
Begin by collecting and documenting an inventory of every BAA for the covered entity. This may require some digging to find paper contracts, or agreements managed by other teams or departments. In addition to compiling a complete list of the agreements, rate and organize them by inherent risk.
Use an inventory tool, like this one from ComplyAssistant to document BAs and categorize based on level of inherent risk.
Prioritize the inventory by inherent risk, and begin an audit with those BAs considered to pose the highest risk—auditing three to five vendors at a time—and work down the list.
An audit should include an agreed upon question set, based on previously determined protocols. Each BA must respond to the audit questions and upload any supporting documentation within a specified deadline.
Medical devices are considered BAs and have unique provisions that require a deeper audit. Ask ComplyAssistant about its 120-point survey.
Perform Risk Analysis
Each BA will already have an inherent risk rating assigned during the inventory process. Based on the audit results, each BA will also receive a control risk rating. The control risk rating considers the BA’s responses, evidence and controls already in place.
Create Action Plan
Depending on the control risk rating, each BA may need to fill gaps in their security and compliance controls. Assign action items to fill those gaps, and provide the BA with a deadline for completion.
For each BA with a high control risk rating, provide a reasonable timeframe to complete an action plan, and reassess within six months.
For BAs with a low control risk rating, schedule another audit in 12 to 24 months or within a reasonable timeframe for the determined protocols.
If BAs refuse to perform the audit or comply with an action plan, the CE has a couple of options:
- Continue service with the BA, but put them on notice as a high-risk vendor. Many vendors may not want this documented, so it could motivate them to comply.
- Discontinue service with the BA and find another vendor. This may not be a viable option, depending on the type of product or service the BA provides.
Include a requirement in the agreement that BAs must complete an audit on a regular basis. For new BAs, request the audit prior to signing the agreement.
What are common roadblocks to implementing a vendor risk management strategy?
Establishing and maintaining a vendor risk management strategy that truly protects an organization from all angles can be daunting. Here are common roadblocks to consider:
- High volume and limited resources
A single organization can have over 100 BAs, and insufficient resources to manage a vendor risk management strategy in-house.
- Traditional, manual tools are insufficient
CEs simply cannot manage a vendor risk management program using Excel documents. Traditional tools that focus on manual input cannot handle the volume, analysis, document storage and project management required.
- Lack of in-house knowledge or discipline
Depending on the type of facility, in-house expertise may not be available. Even if expertise is available, vendor risk management often falls to the bottom of the list of competing priorities.
- Competing political agendas and priorities
Compliance and IT departments are typically combined. When it comes to security and compliance, this is the equivalent of a tax auditor reporting to the CFO. Vendor risk management should be separate from IT to minimize conflicts of interest.
Rather than trying to move a mountain, tackle vendor risk management one piece at a time. Set short-term goals that lead to a long-term program, and enlist the help of an expert when needed.
What support do healthcare organizations need for vendor risk management?
Considering the common roadblocks listed above, many organizations seek subject matter experts and technology to help manage such a formidable process.
If considering vendor risk management software, look for a solution that can help you inventory, organize, store and project manage—best if the software offers alerts, notifications, exception management and action planning.
Even with software, covered entities may need the help of seasoned subject matter experts to help gather inventory, risk rate BAs, perform gap analyses and assist with action planning. If using an outside consultant, make sure they have a structured vendor risk management tool.
Additional resources from ComplyAssistant
Blog: Third Party Contract and Privacy and Security Risk Management
Blog: Reducing Hurdles in BA Assessments
Tool: Building Your Medical Device Cybersecurity Protocol
Tool: Business Associate Inventory Spreadsheet
Tool: Business Associate Agreement
Podcast: Medical Device Security
Solution: Vendor Risk Management Software