Q&A: Vendor Management In Healthcare: The High Cost of Failing to Triage Your Vendors
Rebecca L. Rakoski, co-founder and managing partner at XPAN Law Group, presented the webinar Vendor Management In Healthcare: The High Cost of Failing to Triage Your Vendors on November 5. In anticipation of this webinar, Rebecca answered many commonly asked questions on our blog:
Why is vendor management such a huge issue for the healthcare industry?
Over the past several years 89% of healthcare providers report that they have suffered a data breach. One of the areas in which organizations continue to struggle is vendor management. To be sure, cybersecurity and data privacy affect every aspect of a healthcare organization’s operations, or it should at least. The issue certainly bears close examination when taking into account that more than half of the hospitals studied reported that they have had one or more data breaches caused by third-party vendors.
Considering we are facing COVID-19, why should healthcare organizations address this issue now?
Coronavirus-themed phishing attacks are so pervasive that in April 2020 both the U.S. and U.K. issued a joint warning about their growing use to infiltrate healthcare organizations. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the U.K.’s National Cyber Security Centre stated, “[t]he surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organization.” Consequently, the healthcare industry is on high-level alert for Advanced Persistent Threat hacking group activity.
How can healthcare organizations position themselves to better address vendors and limit liability?
Healthcare organizations need to remember that using a purely technological solution is not effective. Taking the human element and the legal element out of the equation, will lead to more issues. Automation tools can be helpful in generating vendor assessment questionnaires and updating risk profiles, but there needs to be a collaborative approach incorporating technology, compliance, the C-Suite, and legal. Only when these elements combine can an organization truly address vendor issues and liability.
If vendors are such a big threat, why use a vendor to do the due diligence?
First, it is a relief on internal resources. It takes significant time to perform vendor audits. Allowing a third party to undergo a set number each year frees up internal personnel to evaluate the audit results and make educated decisions rather than being the investigator and getting bogged down in the process.
Second, it creates accountability. A big issue with vendors is that relationships form overtime between the vendor and the organization. That is a good thing, but it can also lead to a situation where both parties get too “comfortable”. Healthcare organizations need to be able to evaluate vendors with a critical eye and not allow sentiment or familiarity prevent them from making a change when it is needed. Using a third party provides that accountability because the auditor is not affiliated with either organization and can provide an unvarnished and independent opinion.
Conclusion
Current approaches by health systems to managing vendors are falling increasingly short of what is necessary in this evolving technological environment. Vendor management is a key component to any data privacy or cybersecurity initiative. Using the right combination of legal, technological and management team is above all critical. Healthcare needs to be using vendors that can quickly pivot and adapt, using the knowledge gained from the COVID crisis.
Rebecca L. Rakoski is the co-founder and managing partner at XPAN Law Group. Rebecca councils and defends public and private corporations, and their boards, during data breaches and responds to state/federal regulatory compliance and enforcement actions. As an experienced litigator, Rebecca has handled hundreds of matters in state and federal courts. Rebecca skillfully manages the intersection of state, federal, and international regulations that affect the transfer, storage, and collection of data to aggressively mitigate her client’s litigation risks.
As a thought leader in the area of cybersecurity and data privacy, Rebecca serves on the New Jersey State Bar Association’s Cyber Task Force. She also served on the Complex Business Litigation Committee that drafted and revised the Court Rules involving electronic discovery in complex litigation matters. Rebecca has been appointed in several litigation matters by the New Jersey Superior Court as a Discovery Special Master.
Rebecca is on the Board of Governors for Temple University Health Systems, and an adjunct professor at Drexel University’s Thomas R. Kline School of Law.
Be sure to sign up for Rebecca’s webinar Vendor Management In Healthcare: The High Cost of Failing to Triage Your Vendors. Take a look at our new book: HIPAA Privacy and Security and check out our online compliance training courses such as The UPIC is Coming: CMS Auditors 2.0, and MACRA – Medicare Access & Chip Reauthorization Act of 2015.as well as our other on-demand webinars in our shopping cart as part of our online compliance training courses and get ready for our Virtual HIPAA Privacy and Security Summit 2020 on November 12 where you can find Rebecca as a guest speaker. A full-day of learning with available CLEs and CEUs!