Healthcare and Technology news
48.3K views | +6 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

Top 3 Third Party Risk Management Challenges

Top 3 Third Party Risk Management Challenges | Healthcare and Technology news | Scoop.it

Since the massive Target data security breach in December 2013, third party cyber security stopped being an afterthought and started becoming one of the top security priorities for CISOs and Risk Departments. As a response, Third Party Risk Management (TPRM) underwent a transformation in early 2014, and continues to reverberate today.

 

With attackers finding new ways to break into third parties in hopes of infecting a larger organization, the third party ecosystem is more susceptible than ever before. Meanwhile third party usage is growing fast in large organizations and enterprises. Many critical business services such as HR functions, data storage, and modes of communication are the responsibility of cloud-based third parties.

 

Without a modern TPRM program, many of these third parties are left behind in security risk management, putting organizations in a vulnerable position.

 

Over 60% of data breaches can be linked either directly or indirectly to a third party (per Soha Systems, 2016) but TPRM programs don’t often take a risk-first perspective when it comes to risk management. Security and Vendor Risk departments are often solely focused on compliance. That’s important, but doesn’t get at the heart of the risk posed by your third parties. To shift the approach of your TPRM program to measure true risk, you’ll need to make some adjustments in how you manage third parties.

 

Here are the three top TPRM challenges and the actions you and your organization can take in order to bolster your TPRM program.

 

1. Automate Your TPRM Process to Reduce Unmanaged Risk
With the rise in SaaS, businesses are now using cloud-based third parties more than ever. Gartner predicted that SaaS sales will nearly double by 2019, and that SaaS applications will make up 20% of the growth rate in all public cloud services, a $204B market. Last year, Forrester had already predicted that enterprise spend on software would reach $620B by the end of 2015.

 

As businesses engage in IT and infrastructure digital transformation, the need to manage vendors is more pronounced. Over 60% of respondents from a Ponemon Institute’s survey on Third Party Risk Management believe that the Internet of Things increases third party risk significantly. 68% believe the same is true for cloud migration.

 

However, as more third parties are brought in, they’re often not managed to match the level of cyber security risk they carry. Worse, they may not be managed at all due to a lack of resources. This creates unmanaged security risk. If these third parties have access to your network, your employees’ PII, or your customers’ sensitive data, shouldn’t they be subject to rigorous risk management assessments?

 

Unfortunately, as the number of third parties swell to the hundreds, it’s often not feasible for every vendor to be assessed in the same critical fashion. That’s why having an automated risk assessment tool for assessing vendors is a way to ensure you’re minimizing unmanaged risk from both new and existing vendors.

 

Automating your TPRM process is one of the major steps towards having a mature TPRM department capable. Its benefits include:

 

  • Improved third party management flexibility
  • Standardized processes and thirdparty management
  • Metrics and reporting consistency
  • Improved data-driven decision making
  • Further structuring the TPRM organization
  • Increased third party responsibility
  • Increased overall risk assessment and mitigation

 

By automating the TPRM process, you’re creating a standardized structure that can be applied to all third parties, whether existing or onboarded.

 

You can automate your TPRM process by finding new technologies or tools that will automate the assessment and information gathering process for your third party vendors. This helps to ensure that you’re optimizing your resources and spending company time on what is most impactful.

 

2. Augment and Validate Self-Reported Questionnaires Through Independent Risk-Based Assessments
Third parties are often assessed through questionnaires, onsite assessments, or via penetration tests. Each has its own advantages and disadvantages. Onsite risk assessments and penetration tests are resource-intensive, requiring time, money, and staff in order to carry out the assessments. Because of the costs, these kinds of assessments cannot be used for all third parties, and should be reserved for the most risk-critical third parties.

 

That leaves questionnaires to fill the void for most of the other third parties. However, questionnaires are self-reported, which makes using a ‘trust, but verify’ approach to risk management difficult to accomplish.

 

In a 2016 Deloitte Study on Third Party Risk Management, 93.5% of respondents expressed moderate to low levels of confidence in their risk management and monitoring mechanisms. With numbers like that, it’s easy to see why TPRM programs need increased attention. Without a way to independently verify the security posture of your third parties, you can only rely on the word of your third parties who are, for obvious reasons, incentivized to report positively.

 

Organizations should find independent third parties that can provide risk-based assessments of their third parties to validate that the findings from questionnaires are a realistic portrait of the state of third party security.

 

There are a number of cyber security solutions that provide risk-first third party assessments. To find the right solution, you should research whether or not those solutions:

 

  • are accurately assessing third parties
  • can facilitate communication between you and third parties
  • are focusing on key cyber security areas that are indicative of a potential breach


3. Utilize Continuous Monitoring to Assess Third Parties Beyond Point-In-Time Assessments
The assessment methods mentioned in the previous section all have one glaring flaw in common – they assess third parties at a single point in time. Many times, the information gathered by security risk assessments is outdated by the time it falls into your hands. The speed at which hackers are developing new attacks and exploiting vulnerabilities is too fast for point-in-time assessments or annual reviews to provide any insight into the real security posture of a vendor.

 

A PWC Third Party Risk Management report on the finance industry noted that 58% of companies using ad hoc monitoring experienced a third party service disruption or data breach, compared to only 37% of those that regularly monitor their providers and partners. Without having a way to know the security posture of your third parties on-demand, you’re managing risk with a blindfold on for most of the year. By only having point-in-time information that is quickly outdated, your ability to react to new vulnerabilities, or worse, a potential third party cyber security incident, is negligible.

 

Through continuous monitoring, you’re bolstering the security of your third party by keeping them consistently accountable, which in turn, minimizes your overall risk to a potential security incident.

 

How to Get Started Revamping Your VRM
We covered how to implement continuous monitoring in your TPRM program in part 2 of our How to Revamp Your VRM Program article series. Start by establishing a central TPRM office if you don’t already have one, prioritize and identify your most risk-critical and business-critical vendors, and then define your third parties’ security controls and processes that you’ll monitor on an ongoing basis. If you have the resources, look for automated risk healthassessment tools and solutions that offer continuous monitoring for your third parties.

 

Conclusion
Updating your TPRM program doesn’t have to be a complete overhaul of your department. Instead, you should use a risk-first perspective to define the aspects that are the most criticalto update. The three we highlighted here will yield the most dramatic changes in a TPRM program, reducing your unmanaged risk, and reducing your reaction time should a security incident occur.

 

By automating aspects of your TPRM program, using independent third party assessments, and adopting continuous monitoring, you’re not far from having a mature TPRM program that can easily assess any new third party as it comes, keeping your organization safe.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Tim Cook outlines Apple's role in health and wearables

“I think when you’re dealing with wellness, fitness and the proactive pieces of health. I don’t see Apple getting in to cancer research and this kind of stuff. That’s well beyond our expertise but I think in terms of things that you wear and things that you can know about your body and be able to proactively reach out to your doctor when certain things happen, I think that’s right up our alley and I think it’s something that the world needs. Apple is about making great products that enrich people’s lives.

“We wouldn’t build just a great product, we would only build it if it only enriched somebody. I think this is a fantastic example of something that enriches lives. So this is something that is highly interesting to us and you’ll notice that the watch has a health and fitness component. This is the area where we’re starting but where we go in the long term we’ll talk about later but it’s an area that I’m very excited about from multiple points of view. The opportunity and need for the world to have these types of products.”


more...
No comment yet.
Scoop.it!

4 Things to Know About Telehealth

4 Things to Know About Telehealth | Healthcare and Technology news | Scoop.it

Telehealth has emerged as a critical tool in providing health care services. [1] The practice covers a broad range of medical technology and services that collectively define the discipline. Telehealth is especially beneficial for patients who live in rural communities and other remote areas where medical professionals use the Internet to gather and share information as well as monitor the health conditions of patients by using peripheral equipment and software such as video conferencing devices, store-and-forward imaging, and streaming media. The following information details important factors that are shaping this burgeoning field.

 

The Changing Face of Telehealth Law
Today’s competitive health care marketplace has created an environment where patients demand lower costs, higher service quality, and convenient access to services. [2] Telehealth is an innovative and valuable mechanism that provides patients with efficient access to quality services. Lowering costs and removing barriers to service access, are critical components in promoting patient wellness and population health. Convenience and cost-effectiveness are important commodities in the modern health care marketplace, as patients tend to avoid treatment that is difficult to access or too expensive. As a result, telehealth technology is emerging as a preferred choice among patients and providers. Telehealth has also attracted the attention of US legislators. They utilize this tool for improving the competitiveness of American health care services. This is especially important, seeing as health care represents 17 percent of the nation’s gross domestic product (GDP). In fact, the resource has helped to define the role that lawmakers play in ensuring that patients benefit in a competitive health care market.

 

Reimbursement for Services Delivered by Telehealth
The laws regarding reimbursements change regularly as more service providers incorporate telehealth technology into their practices. Reimbursement procedures can vary by state, practice, insurer, and service. [3] Care providers need to understand several facts, regulations, and laws to navigate Medicare telehealth reimbursements. They must first scrutinize whether the distance between the facility (the originating site) and the patient is far enough to qualify as a distant site. The location must also qualify as a Health Professional Shortage Area (HPSA) per Medicare guidelines. Additionally, the originating site must fall under Medicare’s classification as a legally authorized private practice, hospital, or critical access hospital (CAH). For instance, the Centers for Medicare and Medicaid Services ranks the Harvard Street Neighborhood Health Center as a top facility in need of physician services based on these criteria. Care providers must also use proper insurance coding to be reimbursed for hosting services that use telehealth technologies. For now, collecting reimbursements for telehealth services remains simpler for practitioners who limit the scope to which they apply the technology.

 

Telehealth or Telemedicine?
The term ‘telehealth’ is gaining popularity among medical professionals, compared to the original term, ‘telemedicine.’ [4] Some medical professionals use the names interchangeably. However, telemedicine is a term that may apply to the application of any technology in the clinical setting, while telehealth more distinctly describes the delivery of services to patients. Telemedicine is a familiar term, but telehealth more appropriately describes the latest trends in using technology to deliver treatments to patients. Depending on the organization, service providers may use a different definitions of telehealth. Although the basic premise remains similar, the context may change according to factors such as organizational objectives, and the needs of the patient population being served. Medical experts do agree on one point; telehealth is an innovative way of engaging patients, and it is highly beneficial for both providers and patients.

 

The Road Ahead
There are several areas where telehealth medicine could make a significant impact. It could be used as a tool to remotely monitor patients who have recently been discharged. It may also help treat individuals with behavioral health issues who might normally avoid treatment due to its high cost, or to avoid any perceived public stigma. [5] The largest area where technology could advance medicine is in treating the chronically ill. These patients usually require many visits with several specialists who may practice at different and distant originating sites. To move telehealth forward, organizational leaders must present evidence to peers and patients that the technology offers value. In addition, care providers must work to transition patients from using telehealth services only for minor conditions (for headaches, colds, etc.), to accepting the technology as a viable replacement for costly physician office visits. Advocates for telehealth medicine must also develop quality controls, so that this potentially transformational tool can maximize its problem solving capabilities and its service effectiveness. To harness the benefits of telehealth technology, America’s brightest medical professionals (both experienced and up-and-coming) must make a concerted effort to incorporate the tool into their practices and make it a regular service offering. Today’s medical students — as they enter a world where telehealth is becoming more pervasive — can take part in what might be a monumental change in the way health professionals think about medical treatment.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.