More than half of all healthcare vendors have experienced a data breach that exposed protected health information (PHI), and it’s a costly problem that points to broken third-party risk assessment processes, according to data released by the Ponemon Institute and Censinet.
The report shows that 54 percent of healthcare vendors have experienced at least one data breach of protected health information belonging to patients of the healthcare providers they serve. Of those 54 percent of respondents, 41 percent experienced six or more data breaches over the past two years. The average breach costs $2.75 million and exposes nearly 10,000 records.
Additionally, 54 percent of healthcare vendors believe that a single data breach would result in lost business and revenues from the healthcare providers they sell to, while 28 percent of vendors say that healthcare organizations have chosen another service or solution after they discovered gaps in the vendor’s privacy and security practices. This may be why only 36 percent of vendors would immediately notify providers if they confirmed a data breach that involved their PHI.
“The overall process for managing risk assessments is severely broken in healthcare,” stated Ed Gaudet, CEO and Founder of Censinet. “As an industry we must empower vendors with the right tools and behaviors that give healthcare providers the level of transparency, security and confidence they need to protect their business.”
Many of the vendor respondents believe that healthcare providers do not fully embrace risk assessments to accurately measure and manage third-party risk. For example, nearly half (41 percent) of healthcare vendor respondents said that providers do not require any action to be taken if they discovered gaps in vendors’ privacy and security practices and policies, and 42 percent say that providers do not require proof that the vendor complies with privacy and data protection regulations.
“Healthcare vendors and providers must move from simply checking a box to changing the culture,” continued Gaudet.
“This is an industry-wide problem and as such we need a new, collaborative approach that makes it easy for healthcare vendors and providers to band together and take action, implementing policies, procedures and controls that reduce risk holistically.”
The broken process of healthcare risk assessments
The research points to a fundamental failure of vendors and providers to work collaboratively to accurately measure third-party risk, largely because of the shortcomings of legacy risk management assessment processes.
According to the research, 55 percent of vendors say that risk assessments required by healthcare organizations are costly and time consuming, with vendors spending an average of $2.5 million annually to fill them out. This may be because 43 percent of vendors are still using spreadsheet-based processes for risk assessments.
Despite the effort vendors expend completing risk assessments, it’s hard to determine how accurate they are because 64 percent of vendors believe risk assessment questions are confusing and ambiguous.
Additionally, the rapidly changing threat landscape has made static risk assessments far less effective; 59 percent of respondents say that the risk assessments they fill out become out of date within three months or less, but only 18 percent say that healthcare providers require them to update the assessments more than once per year.
This may be why only 44 percent of vendors believe that risk assessments actually improve their security posture – a number that points to the misallocation of time and resources fueled by the need to check the box, rather than effectively mitigate risk.
“This research highlights many of the shortcomings in the risk assessment process and just how inadequate and ineffective industry certifications and frameworks are today for vendors,” stated Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute.
“According to the research, 55 percent of vendors say that these certifications do not provide enough value for the cost, while 77 percent indicate challenges with the certification process, including respondents who believe it is too time-consuming, too costly and too confusing.”
When asked about ways to improve the risk assessment process, healthcare vendors overwhelmingly turned to automation. According to the research, 61 percent of vendors believe that workflow automation would streamline the risk assessment process and 60 percent think workflow automation would make risk assessments more cost-effective.
If the risk assessment process were automated, vendors believe that the costs incurred would be reduced by up to 50 percent.