Providers continue to struggle with vendor risk management

Many providers struggle to adequately assess and understand the risks that their information technology vendors and other entities pose.

That’s the conclusion of a new report from Ponemon Institute and Censinet. Ponemon conducts independent research on data protection and emerging technologies. Censinet offers a cloud platform for providers and other stakeholders to handle vendor risk management.

The ability to properly assess and understand vendor risks has become very expensive for providers, with estimated yearly hidden costs of $3.8 million per provider, which is considerably more than the average $2.9 million that a data breach costs.

Also See: FDA issues warning about use of diabetes management devices

Ponemon’s research also shows that more than 50 percent of providers experienced a breach introduced by one or more vendors in the past two years.

Ponemon-Larry2-CROP.png
Larry Ponemon

“It’s clear that healthcare providers are in a tough spot,” says Larry Ponemon MD, chair and founder of the institute. “The number of vendors they rely on is increasing at the same time the threats that vendors pose are escalating in frequency and severity, so it’s easy to see how managing these risks has become an overwhelming problem.”

“This research confirms that healthcare providers require a better, more cost-effective approach to third party risk management,” adds Ed Gaudet, CEO and founder at Censinet. “The adoption of technology in healthcare is more rapid and complicated than ever before.”

But it’s not all doom and gloom, according to Ponemon. “We can very clearly see an opportunity with automation for healthcare providers to monitor, measure and mitigate the third party breaches that continue to plague the industry.”

Many providers, in an accompanying survey tied to the report, are clear on the risk they face. Some 72 percent of respondents say increasing reliance on third-party medical devices connecting to the Internet is risky, and 63 percent acknowledge they cannot keep pace with the proliferation of applications and devices.

At the same time, surveyed providers don’t seem to prioritize management of vendor risk.

  • Providers have an average of more than 1,300 vendors under contract, but only a quarter of providers assess all vendors annually.
  • Some 60 percent say they believe that senior executives can bypass the third-party assessment process to secure a lucrative business relationship.
  • Some 80 percent say prioritization of vendor risk is important, but only a third say they believe that their ability to prioritize is effective.
  • Only 40 percent say they believe that assessments are valuable for actionable insights to senior executives.
  • Only 20 percent of risk assessments result in a requirement for vendors to remediate risks prior to doing business with the provider.
For reprint and licensing requests for this article, click here.