BLOG POST: Why Vendor Security Risk Management Belongs on the Boardroom Agenda


Blog Post by Cliff Baker, CEO at CORL Technologies

Even as third-party data breach activity continues to grow, the importance of third-party data security in board-level risk management strategy is not growing to match the need. 

In November 2018, the Ponemon Institute reported that among U.S. firms surveyed, 61 percent experienced a breach caused by third parties, which is up from the previous year at 56 percent. However, only 46 percent of firms surveyed say managing relationship risk is a priority. 

This is a risky position for healthcare organizations to take. With third-party data breaches representing the majority of data risk, and subsequently financial and reputational risk, this trend is troubling. 

A key to managing vendor data security is transparency in understanding the security practices of business associates in your vendor network. 

According to the November 2018 Ponemon study “Data Risk in the Third-Party Ecosystem”, only 34% of respondents (in all industries) have a comprehensive inventory of all third-parties. 69% cite a lack of centralized control over third-party relationships as the reason/cause for not having comprehensive inventories. 

While some do have VSRM control identified, 48% say third-party complexity is a barrier to creating complete inventories of all third parties. And most alarming, only 15% of the Ponemon respondents reported knowing how their data is being accessed or processed by third parties with no direct relationship. 

The Role of Transparency in Third-Party Data Security 

In the healthcare industry, vendor risk management is still in the early stages of maturity for most health systems and health plans. A key aspect of mature Vendor Security Risk Management programs is having deeper visibility (or transparency) into the business associates’ security and privacy practices. 

Visibility for many firms is still largely dependent on surface assurances such as trusting that vendors will meet their contractual agreements for securing data with no verifiable checkpoints. In the Ponemon study, 70% of CISOs respondents say that visibility is dependent on vendor reporting as specified in contractual agreements. Furthermore, 59% say they trust the third-party to notify their organization when data is shared with Nth parties. 

Really? These statistics are astounding! They point to organizations placing trust in the vendor to understand the importance of healthcare data security as high as their own security. Can you trust a vendor to always notify you when data is shared with Nth parties? How would you find out if they are not providing notification? A data breach perhaps? That would not be a good day at the office. 

These industry trends underscore the importance of making vendor security risk management a board-room topic. CORL is continuing to work with our clients to support board-level conversations about third-party data security, providing them critical insight and information of third-parties vulnerabilities. 

Let us know your thoughts on how well healthcare organizations are prioritizing third-party data security. We’d love to hear from you.