Webinar helps covered entities with third-party risk management

Third-party risk management requires a comprehensive vendor risk management program capable of verifying that vendor security controls are effective, according to a Health Care Compliance Association (HCCA) webinar presented by Nadia Fahim-Koster, of Meditology Services, and Alex Masten, of CORL Technologies. Masten noted that risk management is ultimately about “assurance” and, therefore, the development of a risk management program requires data and monitoring designed to assure covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA) (P.L 104-191) that vendors are adequately safeguarding protected health information (PHI).


Fahim-Koster detailed the scope of third-party breach risks, including: HIPAA violations, negative media coverage, undermined patient trust, undermined employee trust, HHS Office for Civil Rights (OCR) penalties, lawsuits, breach notification costs, and the uncertainty of business associate reimbursement. Additionally, all of the risks are developing as technology changes. For example, Fahim-Koster reminded providers that third party breach risks have increased in complexity with the expansion of disruptive technologies like the Internet of Things (IoT) and migration to the cloud.


Masten noted that part of the problem with third-party risk management stems from the fact that the majority of vendors with access to PHI are small. Masten explained that this fact is unfortunate because small vendors are vastly more likely, when compared to a larger vendor, to be involved in a breach. Additionally, small vendors are more likely to enter subcontracts, leaving CEs confused or ignorant of the subcontractor’s breach protection measures. Masten also noted that only 26 percent of vendors have a security certification and many vendors don’t have designated security personnel. In fact, only 39 percent of vendors have at least one designated security personnel. Above all, Masten cautioned that breaches can happen at any time to any kind or size of vendor.

Vendor security program

To implement a vendor security program, Masten said CEs should take the following four steps: (1) profile vendors and rank them by risk; (2) conduct due diligence through risk assessments; (3) apply a risk strategy based upon the results of gaps identified by the risk assessment; and (4) monitor vendors for breaches, third party assurances, and implementation of the risk strategy. Due to the complexity of monitoring what can be as much as thousands of vendor contracts, Masten suggested that entities may need multiple full-time employees dedicated to the data collection and monitoring of third parties. He also suggested that providers increase efficiency by developing a comprehensive vendor questionnaire to assess the risks associated with each vendor.