Todays Webinar The Economic Impact of Third-Party Risk Management - - PowerPoint PPT Presentation

1

Today’s Webinar The Economic Impact of Third-Party Risk Management in Healthcare

2

• Dr. Larry Ponemon

Chairman and Founder Ponemon Institute

Today’s Presenters

Ed Gaudet

CEO and Founder Censinet egaudet@censinet.com

3

• Macro IT Trends in Healthcare
• Research Overview
• Key Findings – The Problem
• Key Findings – The Bigger Problem
• Recommendations

Agenda

4

Macro IT Trends in Healthcare

Protect PHI Provider Satisfaction Streamline Security Medical Devices Tight Security Budgets Mobile, AI, Blockchain Limited Resources Cloud Adoption

5

• Ponemon Institute surveyed 554 IT and IT security professionals in healthcare

companies involved in managing their organizations’ vendor risk management programs (VRMP).

• All organizations represented in the study have VRMPs.

Research Overview

29% 26% 17% 16% 12% Hospital or clinic that is part of a healthcare system Integrated Delivery System Network Standalone hospital Standalone clinic 32% 18% 17% 8% 8% 4% 4% 3% 3% 2% 1% Information technology Clinical staff Patient services Compliance Procurement Medical informatics Risk management Legal Records management Human resources Privacy

respondents by department or function respondents by operating structure

6

Key Findings – The Problem

The State of Vendor Risk Management in Healthcare

56% of Providers have had one or more third-party data breaches over the past two years. Average cost of $2.9 million.

7

• 3.21 full-time employees are fully dedicated to completing vendor risk assessments
• 513 hours spent monthly completing assessments
• Healthcare providers have an average of 1,320 vendors under contract, but just 27% said that they

assess all vendors annually

• 53% say their organizations allocate an average of 17 percent (~$2 million) of the cybersecurity

budget for vendor risk management programs.

• Respondents estimate it costs an average of $5 million to implement all four controls
• 40% percent say vendor assessments are very valuable in terms of providing actionable insights

that can be reported to the C-suite and board of directors

• 42% say these assessments are somewhat valuable in providing information on what actions their
• rganization should take

Key Findings

The State of Vendor Risk Management in Healthcare

8

Current risk processes are costly, inefficient, and don’t reduce exposure to data breaches or downtime.

Key Findings

The State of Vendor Risk Management in Healthcare

Senior executives & business owners are permitted to go around the vendor risk management process. Health systems are at risk of a data breach because they are unable to complete risk assessments of all vendors.

76% 59% 54%

9

The importance and effectiveness of vendor risk management control practices

34% 39% 36% 33% 71% 72% 80% 86% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Assessment of regulatory compliance Enforcement of non-compliance with security requirements Prioritization of vendor risks Data breach cyber exploit response procedures

Importance of vendor risk management control practices Effectiveness of vendor risk management control practices

Controls are considered important but not very effective.

10

Perceptions about third-party vendor risks

Strongly agree and Agree responses combined

34% 63% 65% 66% 0% 10% 20% 30% 40% 50% 60% 70%

Third-party vendor risks are reported to the Board of Directors Current manual risk management processes cannot keep pace with the proliferation of digital applications and devices Current manual risk management processes cannot keep pace with of cyber threats and vulnerabilities An increase in investigations and fines from HHS and OCR due to deficiencies in vendor risk management

Risk management practices are not keeping pace with third-party security vulnerabilities.

11

Perceptions about vendor risk assessments

Strongly agree and Agree responses combined

27% 44% 58% 60% 60% 0% 10% 20% 30% 40% 50% 60% 70% 100% of vendors are assessed annually Inefficient risk management workflows that rely upon spreadsheets, emails and other manual processes are automated to save time Regulations mandate that every healthcare provider identify, assess, monitor and mitigate risks caused by third-parties Required under HIPAA to annually assess the risk of third-party vendors Time spent on vendor risk assessments takes resources away from important tasks

Most healthcare organizations believe they are required to assess vendor risks, but only 27% assess all vendors.

12

The cloud and Internet increase third-party risks

Strongly agree and Agree responses combined

50% 68% 72% 0% 10% 20% 30% 40% 50% 60% 70% 80% Third-party vendors account for the majority of all data breaches experienced over the past two years Moving to the cloud while connecting medical devices to the internet creates significant cyber risk exposure Healthcare providers increasingly rely upon third- party medical devices connected to the internet that are inherently risky

The use of medical devices is increasing third-party risk.

13

Not completing all vendor assessments puts organizations at risk

Strongly agree and Agree response combined

54% 59% 0% 10% 20% 30% 40% 50% 60% 70% Our organization is at risk because we are unable to complete risk assessments of all our vendors Senior executives/business owners are permitted to go around third-party vendor risk assessment process to secure a lucrative business relationship

Senior executives are permitted to avoid conducting an assessment to secure a lucrative business relationship.

14

Which function benefits most from a well-functioning vendor risk management process or program?

Three responses permitted

4% 8% 8% 23% 26% 26% 31% 34% 45% 59% 61% 75% 0% 10% 20% 30% 40% 50% 60% 70% 80% Other Board of directors CTO CIO CISO/CSO CFO/ finance CEO/COO Risk management Legal (OGC) Compliance Procurement/purchasing Clinical departments

Clinical departments benefit the most from an effective vendor risk management program.

15

Vendor types that pose the highest risk Four responses permitted

4% 8% 17% 19% 19% 20% 20% 31% 32% 33% 41% 47% 53% 56% 0% 10% 20% 30% 40% 50% 60%

Other Affiliated practices Payroll providers Outsourced HR Payment processors Outsourced or co-located data centers Back-office applications Medical device manufacturers Outsourced IT Business consultants Application developers Clinical researchers Cloud providers Clinical applications

Vendors that provide clinical applications and cloud providers pose the highest risk.

16

The percent of respondents that would remediate or terminate

33% 28% 0% 5% 10% 15% 20% 25%

Respondents that would mitigate or remediate the security gap Respondents that would terminate the relationship with the vendor

Vendor’s security gaps are not addressed following an assessment.

17

The percent of vendor assessments that result in disqualification

• r requirement to remediate

21% 11% 0% 5% 10% 15% 20% 25% Third-party assessments that result in a requirement to remediate prior to doing business with them Third-party assessments that result in disqualification prior to doing business with them

1 in 5 assessments result in remediation, and we know that 59% of organizations see their executives going around the process.

18

The Bigger Problem

Unable to keep pace with the proliferation

• f cloud apps,

connected devices, and threats and vulnerabilities. Hidden costs outpace direct costs based on process inefficiencies. Gap of 2.5x budget to investment required.

10x

19

The Economic Impact of Third-Party Risk Management

Direct FTE-only Costs

3.2 full-time equivalent (FTE) employees dedicated to third-party risk management activities.

20

The Economic Impact of Third-Party Risk Management

Healthcare Organization Costs

Indirect labor costs: employees not dedicated, but involved in supply chain activities that touch third-party management and oversight.

21

Recommendations

22

Save Time Increase Coverage

Focus on high-value tasks such as training, scenario planning, continuity tests, etc.

A New Way: Less Time and Costs

Reduce Costs

10x 50% 50%

Assess all third-party vendors with continuous monitoring and updates to risk profiles. Reduce hidden costs, data breaches, and disruption to patient care and overall business.

23

Scale Your Risk Management Process with the Collaborative Risk Network for Healthcare

One-Click Assessment Virtual Vendor Catalog Application Integrations Continuous Monitoring Provider Visibility and Reporting Real-time Updates

A Collaborative Risk Network for Healthcare provides fast assessments, immediate updates, and cross-functional visibility.

24

Moving to Real-time and Dynamic Risk Management

• Automated risk

remediation plans

• Predictive risks

management correlated with

• utcomes
• Adaptive network

with continuous

• ptimization
• Integrated with

real-time threat feeds

• Machine learning

analysis of un- structured risk evidence

Dynamic

• Standardized

Questionnaires

• 1-Click Assessments
• Real-time risk

updates and alerts

• End to end workflow

automation

• Virtual Vendor

Catalog

• Leveraged insight
• Monitored and

improved

• Balanced spend

against risks

Real-time

• Automated, but

siloed processes

• Legacy tools in

place

• Processes are

loosely defined but are different across groups

• Informal training
• Budget and

resource gaps

Managed

• Reactive and

chaotic

• Uncoordinated

manual process

• Unstructured data

(Excel, Word) stored in email/passive repositories

• No foundation for

efficiencies

• Redundant
• perations

Ad hoc

WHERE MOST PROVIDERS ARE WHERE MOST PROVIDERS WANT TO BE

Most Providers are here today With a Collaborative Risk Network

Request a Demo

1-855-666-6001 sales@censinet.com