Study calls for new approaches to third-party risk management.

Health3PT conducted a survey to find the challenges associated with third-party risk management (TPRM) and how they affect the healthcare industry.

Legacy methods meet with dissatisfaction.

The survey found that most companies considered the legacy method of TPRM as ineffective with 50% of the covered entities claiming that TPRM is not keeping pace with the volume of security assessments they receive. They also complain of excessive turnaround times for fixing issues discovered in the audit process. Business associates, on the other hand, find that “Customers are unwilling to accept third-party validated assessments and certifications in place of proprietary control questionnaires.” The business associates also assess that companies need help in handling the variability of questionnaires and audits, and the resources and time required to meet compliance requirements. In a press release Health3PT writes, “An industry survey conducted by Health3PT confirms the challenges facing current healthcare TPRM processes and reveals that both covered entities and vendors are overwhelmed. Sixty- eight percent of covered entities and 79% of vendors believe the current TPRM process is inefficient. Vendors experience audit fatigue from the sheer volume and variability of proprietary security questionnaires they receive from their customers, and covered entities can’t keep pace with the volume of questionnaire responses they receive. The legacy process is a resource and productivity drain for the healthcare industry, and neither covered entities (60%) nor vendors (72%) see the status quo as an effective process to prevent data breaches.” 

Problems afflicting the process. 

The survey found that among the problems facing the industry is a lack of an overarching standard methodology for tiered solutions. The contracts were far too vague and “verbose,” there was little to no follow-ups conducted after a deficiency was identified, and there was “limited organization-wide insight into vendor security risk.”

Possible solutions to provide a better, more productive relationship. 

A key finding from the survey is that the sheer amount of security questionnaires and responses seem to be overwhelming both sides. Health3PT recommends that both business associates and covered entities standardize their questionnaires and responses, while providing electronic versions to ease the process. Health3PT also recommends that the vendors and covered entities create a tiered strategy to address gaps discovered in the audit process. This would help prioritize critical fixes allowing the vendor and the covered entities to solve harder or more serious problems in an organized fashion.