Jan 31
2023
TPRM Is In Crisis, But It’s Not Too Late to Change
By Brian Selfridge, healthcare cybersecurity and risk leader, CORL Technologies.
For anyone invested in Third Party Risk Management (TPRM), the last few years have been at once painful and heartening. On the painful side of the ledger, we’ve seen multiple high-profile breaches resulting in stolen patient data, reduced services and loss of trust on the part of many patients.
On the heartening side, these unfortunate incidents have made many healthcare organizations get much more serious about TPRM, treating it as an integral part of day-to-day operations.
That said, we have a long way to go. Spend any time with employees of healthcare organizations and you will hear the same message over and over again: things are better than they were, but TPRM remains fundamentally broken.
With that in mind, it’s worth taking a step back and assessing where we are with TPRM as 2022 draws to a close. What are the lingering pain points? In what areas could we stand to do a better job? Understanding the answers to these questions will help us think ahead to a better, brighter future for TPRM.
Everyone is Struggling to Keep Their Heads Above Water
The number of third-party vendors used by healthcare organizations has exploded in recent years, and this trend shows no signs of slowing down. Each one of these vendors, of course, represents a potential risk to the healthcare organization, and accordingly each one needs to be thoroughly vetted.
Of course, there is only so much time in the day, and fully vetting each third-party vendor using the standard methods takes time and resources––two of the rarest and most precious commodities in the healthcare industry.
This is a problem not just for the healthcare organizations but for the vendors themselves: each day they are flooded with more and more due diligence requests, more and more questionnaires, and because these requests are rarely standardized––i.e., every healthcare organization has its own demands and expectations––properly addressing every single issue can feel impossible.
Add in the fact that many healthcare organizations themselves function as third-party vendors and you have a recipe for an infinite backlog. Compliance concerns are forgotten, unaddressed, or addressed only partially, while critical patient information is left vulnerable. It’s an untenable situation.