Third-Party Vendors Come with Significant Risk

July 17, 2019

Study finds that the annual cost of risk for third-party vendors in healthcare is $3.8 million.

While many in the healthcare industry have seen the benefits of outsourcing tasks to third-party vendors, a new study cautions that those benefits could come with significant risks.

Censinet, a third-park risk management platform, recently came out with a report “The Economic Impact of Third-Party Risk Management in Healthcare,” that highlights the difficulties many providers see with third-party vendors. 

According to the report, the annual hidden costs for managing vendor risks for all of healthcare is $23.7 billion per year-from an average of $3.8 million per provider. These hidden costs come from the average of 3.21 full-time employees providers need to perform 500 hours of vendor risk assessments every month. The addition of information security and risk staff, supply chain managers, clinicians, and others multiplies that to an average of 5,040 hours per month that providers spend managing third-party vendor risk.

“The report makes it clear that healthcare providers are struggling to adequately assess and understand the risk that vendors pose to them – and that it’s costing them a lot more than they know,” says Ed Gaudet, CEO and founder, Censinet.

Gaudet adds that even with all of those resources, third-party attacks are still a problem-56% of healthcare organizations surveyed had a data breach introduced by one or more third-party vendors within the last two years. The average cost of those breaches is $2.9 million.

Related article: Cut Through the Cloud Vendor Clutter

“Most healthcare organizations are struggling to prevent or mitigate the severity of a third-party or vendor related breach,” says Gaudet, “and this problem is exacerbated since the threats are outpacing their spend on risk mitigation. Providers are unable to keep pace with the proliferation of cloud applications and connected medical devices used in the healthcare ecosystem. The study shows a gap of 2.5 times between what vendors budget versus what is actually required to help them keep pace with the growth of cyber threats and vulnerabilities.”

While many of those costs are hidden, providers are concerned about potential risks. Seventy-two percent of those surveyed say they believe increasing reliance on internet-connected third-party medical devices risky, while 68% say moving to the cloud while connecting medical devices to the internet creates significant cyber risk exposure.

All of this, according to the report, has created an environment where breaches are more difficult to stop and expensive to fix.

“This study really shines a spotlight on the gaps that exist in third-party risk management in the healthcare industry-and that’s something that executives need to understand,” says Gaudet.

“Some of the findings are truly alarming,” Gaudet adds, pointing to statistics such as:

  • 43% of respondents said that their organizations fully deploy the enforcement of non-compliance with security requirements for vendors

  • 36% prioritize vendor risks

  • 59% of respondents said that their executives can bypass the assessment process in order to secure a lucrative business relationship, which creates an enormous loophole.

“Those are startling numbers,” Gaudet says. “Put simply, healthcare providers are not operating at full capacity when it comes to the controls that determine effective third-party risk management. We hope that this report will serve to educate these executives about the risks they should be mindful of in order to eliminate potential vulnerabilities within their vendor ecosystem.”