As of late, cyberattacks have reached an all-time high in the healthcare industry. In July of 2022, a cyberattack and data breach at a healthcare organization resulted in a $100 million loss in revenue,¹ and according to U.S. government data, in 2022, healthcare breaches are rising significantly.²

Because of this, third-party risk management (TPRM) is more important than ever for your healthcare organization. TPRM programs can help healthcare organizations address issues such as cybersecurity, reputation protection, patient trust preservation and more.

The first step: Identify your vendors

The first step in implementing a TPRM program is to identify all your vendors and the products or services they provide to your healthcare organization or your patients. Your Accounts Payable department can provide a vendor list, since they have records of all companies, entities and consultants billing your organization.

Make sure your high-risk vendors are identified and prioritized. Typically, these vendors require access to confidential patient data to provide a product or service. Due to HIPAA rules, these vendors will become known as Covered Entities or Business Associates. Once you've established your vendor inventory, you're one step closer to managing third-party risks effectively.

Implement a TPRM program through the TPRM lifecycle

The next step is to implement a strong TPRM program. The best method for implementing such a program is to follow the TPRM lifecycle stages and activities. Using the third-party risk management lifecycle as a guide, your organization can minimize vendor risk by ensuring the right risks are identified, assessed and managed at the right time.

The TPRM lifecycle encompasses the following stages:

1. Onboarding: This is the most important stage of the lifecycle, which covers activities from identifying the vendor to executing the contract. During onboarding, your organization investigates the vendor and identifies and assesses risks associated with the product, service and, therefore, the relationship. Once your risks are known, your organization must verify that the proper controls are in place to manage the risks, and that includes making sure you have a well-written contract. Let’s explore the steps and activities in the onboarding stage.  
   • Planning & risk assessment – Determine inherent risk and criticality. Inherent risk is risk present as part of the relationship by default and is assessed without considering future precautions or controls. A vendor's criticality refers to the impact on the business should the vendor cease to operate.

         You can easily determine criticality with three questions:

1. If we abruptly lost this vendor, would our organization be significantly disrupted?
2. Would the sudden loss of this vendor impact our patients?
3. If the time to restore service required more than 24 hours, would there be a negative impact on our organization?

         If you answered “yes” to any of those questions, you have a critical vendor!

• Due diligence – Once you understand the inherent risk and criticality, you need to identify and validate the controls required for risk mitigation. Your organization will need to collect and review documents and information from the vendor. A qualified subject matter expert should review the vendor information and provide an expert opinion regarding the sufficiency of the vendor’s controls.
• Contracting – If the controls are sufficient and the remaining (or residual) risk is acceptable, your organization can begin negotiating and formalizing your contract. Be sure to include specific requirements and provisions in your agreement that legally obligate your vendor to manage risks. The contract should also include an exit strategy to define what would happen if the relationship were to be terminated.

2. Ongoing: After the contract is signed, stay on top of emerging vendor risks by conducting ongoing due diligence reviews and assessments. The following should be repeated regularly:
   • Reassessments – Periodically re-review vendor engagement to look for changes in their level of risk, including new or emerging risks. Conduct periodic risk assessments (e.g., annually for critical and high-risk vendors, every 18 months for moderate-risk vendors and every two to three years for low-risk vendors). Once the risks of the relationship have been reevaluated, reach out to the vendor for refreshed documents and information to validate the current risk levels. Any changes must be documented and managed appropriately.
   • Due diligence – Since due diligence isn’t a one-and-done activity, recurring due diligence should always be part of third-party risk management. As vendor risk can evolve over time, regular due diligence reviews should be scheduled annually, at a minimum. However, special circumstances may require reviews to be conducted more often, such as before a contract renewal, if there are performance issues or if there’s a regulatory change.
   • Monitoring & performance – Ongoing risk and performance monitoring will ensure that the vendor is still providing quality products/services and that their risk level remains relatively consistent. This includes tracking service level agreements and remaining aware of any identified issues.
   • Renewals – Before contract renewals, reassess the terms and provisions to determine if any negotiations are needed. As negotiation can take a while, do this well ahead of renewal. A consistent and continuous vendor dialogue is key to ensure that everyone is on the same page regarding performance, service level gaps, meeting specific requirements and other processes.

3. Offboarding: If you no longer wish to use a vendor for an outsourced product or service, the engagement must end. This can be due to various reasons (vendor failed to meet SLAs, vendor’s risk became too high, etc.). No matter the reason, a solidified termination process should be put into place that includes:
   • Termination – Notify the vendor of contract non-renewal.
   • Exit plan execution – Follow the exit plan, ensuring that your vendor meets all responsibilities and obligations such as data destruction or return, while at the same time, your healthcare organization is taking appropriate next steps.
   • TPRM closure – Once the exit plan is completed, wrap up any final steps needed to formally end the relationship such as reviewing and paying final invoices. Make sure all relevant vendor information is appropriately organized and archived. Remember that you may need to access this data in the future for a regulatory exam or audit.

As the three stages occur, oversight and accountability, documentation and reporting, as well as independent review, also support and guide the TPRM lifecycle. This means that roles are established and defined, including who will oversee the program and process, and that there are governance documents that define the process, including policies and procedures. Internal audit teams should also assess the program periodically to determine if it meets expectations or if it requires improvement.

Whatever the industry, establishing a solid TPRM process and strong program management and oversight roles is essential. Well-written and accessible program policies and procedures that follow the TPRM lifecycle stages and activities will help your organization successfully manage its vendor risk.

To learn more about TPRM, visit Venminder’s resources library and blog.

References

1. HIPAA Journal. July 25, 2022. Tenet Healthcare cyberattack had a $100 million unfavorable impact in Q2, 2022. https://www.hipaajournal.com/tenet-healthcare-cyberattack-had-a-100-million-unfavorable-impact/.
2. Fox, A. September 27, 2022. House bill proposes a new strategy to protect patient data. Healthcare IT News.https://www.healthcareitnews.com/news/house-bill-proposes-new-strategy-protect-patient-data.