Third-party vendors play an important role in today’s evolving healthcare environment. Healthcare organizations rely heavily on third-party vendor support through the supply chain to sustain daily operations of the organization. Third-party vendors that have access to personally identifiable information (PII), protected health information (PHI) and other critical systems and data can expand an organization’s cybersecurity risk, particularly in data breaches. With cyber breaches and ransomware attacks increasing in sophistication, volume and magnitude, healthcare organizations struggle to stay ahead of the game. Now more than ever, implementing and maintaining a mature vendor risk management program should take priority in the organization. Internal audit can play an important role in developing and implementing an effective vendor risk management program.
How and what can internal audit do to assist healthcare organizations in their evaluation of the risks associated with third-party vendors? How can internal audit help determine the effectiveness of the processes for ongoing assessments and monitoring mechanisms such as scorecards, questionnaires, and on-site assessments in the management of the overall risks?
Internal auditors can evaluate the design effectiveness of the existing controls to mitigate risk, identify process gaps and provide recommendations for improvement over the third-party risk management processes.
In evaluating an organization’s third-party vendor risk, internal audit should assess the following questions:
In healthcare, mitigating security risks for key/critical vendors should be a priority for internal audit. Internal audit should review:
Frequently, a security questionnaire is completed during the evaluation of key/critical vendors. The questionnaire covers areas such as:
Internal audit reviews the security questionnaire to verify it was properly completed and that areas of concern were highlighted and followed up on by management.
For more information on this topic, or to learn how Baker Tilly healthcare-specialized Value Architects™ can help, contact our team.