How providers can improve healthcare vendor management


Current approaches to healthcare vendor management risks are inadequate

As the healthcare sector continues to adopt new technologies, their reliance on remote and cloud-based services has also exponentially increased. While relying on third-party vendors to provide more efficiency and state-of-the-art care and management, providers must also put more emphasis on healthcare vendor management. Of course, security is a concern for every industry, but healthcare providers also have strict privacy and compliance requirements under the HIPAA/HITECH Act rules. Yet, healthcare providers are still not doing enough to avoid data breaches and cyberattacks. It’s a big threat to the entire industry with very high costs.

The rising cost of healthcare data breaches

A recently published report by Ponemon Institute and IBM Security shows that the average cost of a data breach in the United States rose to $8.19 million. The U.S. healthcare industry has the highest cost at $15 million. And the average cost of healthcare data breaches is $429 per record, more than twice the cost of any other industry.  Also, ransomware attacks on healthcare institutions have become common because cyber-criminals know that mission-critical patient care systems cannot be offline. Small clinics and large hospitals have been hit by this scourge, and many have had no choice but to pay to get their systems back up so patients didn’t suffer. In May 2017, Britain’s National Health Service was infected with ransomware and dozens of locations were temporarily closed due to the virus. Because HIPAA/HITECH Act regulations also require strict compliance by third-party vendors (business associates), the average healthcare provider spends $3.8 million on vendor management and mitigation of risks from third parties. Even with all that spending, in 2018, 56% of healthcare providers surveyed in the Ponemon study had third-party breaches by one or more third-party vendors within the last two years. The report shows that there are three main reasons that healthcare providers continue to have insufficient risk mitigation:

Without a strategy, managing remote access for healthcare drains resources

To mitigate risks without increasing costs, healthcare providers need to implement third-party remote access solutions that meet the following requirements:

  • Manage network access for a growing number of healthcare vendors
  • Standardize remote support across all providers and business associates
  • Eliminate risks associated with shared credentials
  • Track and record activity during support sessions
  • Maintain and audit HIPAA/HITECH Act remote healthcare IT compliance

Solutions are available that streamline remote support and provide secure network connections. Some remote access security platforms can eliminate the need to manage network credentials from multiple vendors. Look for platforms that include:

  • Multi-factor authentication that ensures vendor reps are securely authenticated prior to access. This will eliminate the use of shared logins and passwords by unauthorized users
  • Access controls that enforce rules-based permissions, providing a secure environment while enabling fast connections. This capability will allow network managers to implement a least privilege policy
  • Access monitoring with real-time access notifications. Network admins should be aware of all activities on critical systems
  • Comprehensive auditing tools that provide log files of every network session with granular details of individual activity

Having this high standard for healthcare vendor management can reduce the costs associated with risk mitigation and breach prevention for healthcare providers. The best solutions reduce vulnerabilities while increasing efficiency. For example, here at Imprivata, we were able to help one hospital save over $1 million annually with efficient healthcare vendor management. Learn how Imprivata helps healthcare enterprises and technology vendors ensure HIPAA compliance with healthcare vendor management.