Leveraging internal audit to minimize risk of third-party vendors in healthcare
Third-party vendors play an important role in today’s evolving healthcare environment. Healthcare organizations rely heavily on third-party vendor support through the supply chain to sustain daily operations of the organization. Third-party vendors that have access to personally identifiable information (PII), protected health information (PHI) and other critical systems and data can expand an organization’s cybersecurity risk, particularly in data breaches. With cyber breaches and ransomware attacks increasing in sophistication, volume and magnitude, healthcare organizations struggle to stay ahead of the game. Now more than ever, implementing and maintaining a mature vendor risk management program should take priority in the organization. Internal audit can play an important role in developing and implementing an effective vendor risk management program.
The role of internal audit
How and what can internal audit do to assist healthcare organizations in their evaluation of the risks associated with third-party vendors? How can internal audit help determine the effectiveness of the processes for ongoing assessments and monitoring mechanisms such as scorecards, questionnaires, and on-site assessments in the management of the overall risks?
Internal auditors can evaluate the design effectiveness of the existing controls to mitigate risk, identify process gaps and provide recommendations for improvement over the third-party risk management processes.
In evaluating an organization’s third-party vendor risk, internal audit should assess the following questions:
- Has the organization assigned responsibility for vendor oversight?
- Has the organization assigned responsibility for vendor oversight?
- What vendor management policies and procedures are in place?
- Who maintains the list of vendors and does it include the appropriate information?
- Has management determined what vendors are critical to the day-to-day operations of the health system?
- Was a vendor risk assessment performed before onboarding the vendor?
- Is on-going monitoring of both performance and risk exposure of vendors performed?
- Is a vendor performance scorecard periodically completed?
In healthcare, mitigating security risks for key/critical vendors should be a priority for internal audit. Internal audit should review:
- The service agreement to ensure it provides adequate coverage. Does it include system boundaries, protection of data, availability of systems, and procedures for identifying and responding to security incidents?
- Adherence to a relevant framework/standards
- Evidence of compliance with applicable regulations
- The vendor’s report on internal controls
Frequently, a security questionnaire is completed during the evaluation of key/critical vendors. The questionnaire covers areas such as:
- Corporate governance
- Logical access
- Physical access
- Data
- Systems development
- Vulnerability management
- Continuity and recovery
- Auditing and compliance
Internal audit reviews the security questionnaire to verify it was properly completed and that areas of concern were highlighted and followed up on by management.
Key takeaways to manage healthcare third-party vendor risk management
- Consider all third parties
- Assign ownership and facilitate collaboration
- Inventory and categorize vendors; keep up to date
- Perform ongoing monitoring activities over vendors as appropriate for their function
- For key vendors that expose security risks, analyze whether they have effective internal controls in place
- Strategize to prevent exposure to risks in future third-party vendor relations
For more information on this topic, or to learn how Baker Tilly healthcare-specialized Value Architects™ can help, contact our team.
