Getting Buy-In for Your Healthcare Third-Party Risk Management Program

Many healthcare organizations have implemented at least some elements of a third-party risk management (TPRM) process, such as vendor risk assessments and due diligence, especially for business associates and vendors that provide services or medical devices critical to patient care. In some organizations, the third-party risk management process is still very manual and requires maintaining and updating multiple spreadsheets. However, these processes are inefficient, error-prone, and tend to focus on old or aging data, which limits comprehensive reporting.

Suppose your organization recognizes that manual third-party risk management processes aren't sustainable for the long term and that there is a need for more comprehensive TPRM processes. In that case, it's time to implement a more effective and efficient third-party risk management program. But, how do you go about making a case for these improvements? What do your stakeholders need to know and understand about third-party risk management so they can support and champion your efforts?

5 Ways to Gain Buy-In for Healthcare Third-Party Risk Management

Consider the following approaches to secure buy-in for your TPRM program:

1. Address the criticality of patient safety. Your patients’ safety should motivate stakeholders to support a robust third-party risk management program. According to the U.S. Department of Health and Human Services, cyberattacks that compromise medical devices are among the top threats to patient safety. It's not uncommon for hospitals to have hundreds of medical devices, so a third-party risk assessment for each device is essential. All medical devices, especially those connecting your organization's and business associates' networks through the internet, must be properly vetted before purchase.
   
   Medical devices differ from companies or stand-alone Software-as-a-Service (SaaS) applications that reside on your internal network. Medical devices, and the software they use, come with their own unique vulnerabilities. If these devices are hacked, your patients can be considerably damaged. To keep your patients safe, you need to implement TPRM programs that protect them from modern threats like compromised medical devices. Make sure that your stakeholders understand the role third-party risk management plays in protecting your patients.
2. Communicate the benefits. You need to identify and communicate how a TPRM program will benefit your stakeholders, including senior leadership, the board, and other departments such as legal, compliance, and IT. Each of your main stakeholders must understand how this program will benefit not only the entire organization, but their specific department as well.
   
   For example, the operations team can benefit by having an organized and current view of a business associate’s and vendor’s business continuity and disaster recovery plans. The compliance team can quickly generate a report detailing a business associate's or vendor's licensing status. It may take time to identify all department-specific benefits, but it is worth your effort to gain consensus.
   
   
3. Understand the stakeholder's challenges with TPRM. Start by having conversations and asking questions such as the following:
   
   
   • What pain points have they experienced when vetting third parties for their specific department uses?
   • Were there any issues receiving completed vendor assessments on time?
   • What breakdowns in communication with business associates and vendors may have occurred?
   • What specific problems have they experienced with how third-party risk assessments have been conducted or are being conducted?
   Each team member may have a different response to these questions, but you’ll start to see patterns emerge. Use these responses to identify what's most important to your main stakeholders, which will help you deliver the right business case.
4. Ensure everyone understands the importance of data protection. There is no doubt that every department in your organization has some type of data that is important to them. Of course, your patient data is of most concern, but so is PCI, PII, and proprietary data such as clinical research and trial data. Your third-party risk management program can enhance data protection, which is a major selling point when seeking buy-in.
   
   Your organization should verify that the sensitive information in your organization's third parties' environments is secure. However, your current processes may need to be expanded to verify how and where your sensitive data can be accessed, transmitted, or stored within a third party's network and medical devices. Your team members need to be able to speak about data transmission via HL7 FHIR API or remote network access using VDIs or a zero-trust model. Developing a technical training program for third parties may become an essential component of your third-party risk management program.
   
   It's imperative to emphasize that your organization must protect data, especially Protected Health Information (PHI), when using a third party or medical device. Ensure that your main stakeholders understand that a third-party risk assessment includes assessing and verifying a business associate's network and data security practices. This assessment is necessary whenever your organization's PHI, PCI, PII, and proprietary data are involved.
5. Explain the costly consequences of a third-party data breach. A third-party data breach isn't something your healthcare organization wants or needs to experience. These data breaches result in costly consequences, including fines, increased cybersecurity insurance, or a tarnished reputation. It's your organization's responsibility to ensure that any third party is fully vetted and continuously reassessed by your organization
   
   For example, a third party's network could change dramatically within a short period if they migrated services to the cloud or replaced legacy infrastructure with new technologies. For this reason, it’s recommended that your third parties, especially those with access to your sensitive data, are reassessed on an annual basis at minimum. Suppose a third party suffered a data breach. In that case, you should perform a reassessment no later than six months after having experienced the breach.

It may be necessary to improve your third-party risk management program by implementing standardized vendor risk tiering and to create a third-party reassessment cadence based on that tiering. To ensure your third parties maintain an acceptable risk posture, you’ll need to reassess business associates and vendors interacting with sensitive data. Make sure your main stakeholders understand the need to reassess vendors and business associates, especially those who have suffered data breaches, and that a robust third-party risk management program can provide the necessary framework to execute those reassessments.

To receive the appropriate approval, funding, and resources for your healthcare organization's third-party risk management program, you must ensure that all stakeholders understand the importance of protecting your organization from third-party risks. If you communicate effectively how the program will protect your sensitive data, address the modern threat landscape, and prioritize patient safety, you’ll get buy-in for the program and take a step towards mitigating third-party risks.