1(630)802-8605 Ravi.das@bn-inc.net

As we all know, the healthcare industry in the United States is like a double-edged sword.  In one area, we excel in terms of medical know, technology and advancements.  In the other realm, it is totally bogged by down inefficiencies brought on by the medical insurance companies.  For example, even the average American citizen can literally go bankrupt if they are struck by an unforeseen ailment – just because not everything is covered.

But the healthcare industry is also being brought to its knees with the issue of Cybersecurity, especially in how it deals with the risks that are inherited using outsourcing critical functionalities to third party entities.  This threat is underscored by a market research just conducted by two entities, known as “Censinet” and the “Ponemon Institute”.  The study is entitled “The Economic Impact of Third-Party Risk Management in Healthcare”, and here are some of the key findings:

*The yearly hidden costs of managing vendor risk is $3.8 million per healthcare provider;

*Each data breach costs $2.9 million per year;

*The total cost of managing third party vendors is at a staggering $23.7 billion per year;

*In 56% of the Cybersecurity incidents faced by healthcare providers, these were brought on by weaknesses and vulnerabilities in the processes associated with the third-party vendor;

*Overall in the United States, healthcare providers have an average of 1,320 vendors under contract;

*Only 27% said that they conduct a risk assessment of their selected third party before onboarding them;

*Although most healthcare providers (80% of them) believe that conducting third party risk assessments are very important, only 36% believe they are truly effective.

The study also reveals a serious conundrum that is also faced by the healthcare industry:  Medical professionals are overburdened by the everyday tasks that they must perform, thus they must farm it out to third party vendors.  But it takes just as much and time effort to onboard one, thus taking away even more resources to get daily job functions done.  Here is what they found:

*It takes the average healthcare provider 3.21 dedicated full-time employees to spend more than 500 hours per month completing third party vendor risk assessments;

*But as mentioned before, there are also hidden costs to this that are not in public view.  In terms of man hours, it can take up to 5,040 hours per month extra to effectively manage third-party vendor risk;

*60% of the respondents polled in this study think that the time spent on vendor risk assessments takes too much time away other important tasks.

So, what is the healthcare industry to do?  Well, automating tasks to a certain degree and even using Cloud based resources are certainly a viable option, but once again, medical professionals are too resistant to use them, primarily because it is still an unknown, and because of that, the fear of Cyberattacks with these resources are even higher than when compared to using third party vendors.  For example:

*72% of the respondents believe that using medical devices connected to the Internet is risky;

*68% of the respondents say that moving to a Cloud based infrastructure creates significant cyber risk exposure.

*3% state that they cannot keep up with the pace of advancements brought on by digital applications;

*Only 38% of healthcare providers can achieve automation in order to accomplish their daily job tasks.

My Thoughts on This

For the last couple of years, ever since the healthcare industry has been the primary target of the Cyberattacker, overall, I think that they have done a good job of securing patient medical data.  For example, at the places I have visited for medical reasons, the staff often asks for at least two forms of identification, and even ask you a couple of challenge and response questions. 

And, unless you authorize for them to do so, they are also extremely ironclad about releasing your confidential information to other parties, and even amongst other medical professionals.

I have even seen doctors and nurses make use of Two Factor Authentication (2FA) when it comes to accessing their workstations and other computer terminals.  But, as just described in this blog, the healthcare industry is now even facing a crisis that could prove to be far more devastating from a security standpoint than just protecting patient medical records.

It is overburdened, and the costs of outsourcing to third parties is proving to be much more of a cost than a benefit in the long run.  There are other resources that can be used to help alleviate this burden, but unfortunately, the adoption rate of them has been extremely slow, as medical professionals believe that they can bring on even more Cyberthreats.

Thus, in the end, it is like a dog chasing its own tail, with no solution in sight.  Yes, I strongly agree that there are risks to using a third-party vendor.  Even after all of the risk assessments are done, there is still no guarantee that they the outside entity you choose to utilize will not be free from a Cyberattack themselves. 

So, what can be done? Here are three thoughts I have, just based upon what I have written, and of course, further research needs to be done into it:

*Hire more healthcare workers to alleviate the backlog as risks assessments are being done on third party vendors;

*Create a dedicated staff from within the healthcare organization whose job everyday is just to conduct evaluations and risk assessments on third party vendors.  That way, the other medical professionals and associated staff members will have their resources freed up to do their own job tasks;

*Over a period of time, HIPAA should be revised that mandates the use of a Cloud based infrastructure and automation so that this conundrum does not further escalate into another full-blown Cyber Risk.

These are obviously not easy choices to make, and it will take time to implement.  But rather than having the current Presidential Administration keep bickering about ending Obamacare, why can’t these other Cybersecurity issues be addressed as well?  After all, there are other countries around the world, where healthcare is not such an issue, and where it is even government sponsored, such as those in Canada and France.  But this is more of a political bandwagon, and I’ll leave it there.  Actually, about a year and a half ago, I was a featured speaker on the very issue of security risks that are brought on by using third party vendors.  That webinar can be seen here:

Finally, more detail about the research study can be seen here:

https://go.censinet.com/ponemon-third-party-vendor-risk-management-research