Vendors. Did you know I just saw you roll your eyes? Don’t worry…all of the other readers had the same response. If you work in technology, odds are you have at least one relationship with a vendor that you maintain in order to provide your services to the market and help your business run successfully. But if you have to work with them, calling it a challenge is probably a nice way of putting it.
One of the major problems with vendors is the same problem that the federal government has run in to with the large amount of contracting it does (particularly in the defense and security areas) in a bid to cut costs…you can’t do the job without the vendors, but you have very little control over the way that they do things. Hire a contractor to provide security services in a war zone prison? You might just wind up with a firm that commits human rights abuses and tortures inmates, causing not only a huge diplomatic headache but also fueling the recruitment activities of the other side. We’ve seen similar examples in business, most recently with the Target breach. Hire a vendor to maintain your HVAC, and you wind up with one of the biggest credit card data breaches in history, multiple intensive investigations, millions upon millions in fines and irreparable damage to your operations and business reputation.
The healthcare system isn’t immune from these kinds of problems. Healthcare as an industry has always relied on vendors, but as the sector continues to expand the use of technology, more vendors are brought into the mix. That’s more risk that needs to be evaluated and maintained, especially in light of the kinds of information that is being passed between you and your vendors and increasing scrutiny for how that information is being protected.
Health IT News recently profiled some of the frustration that healthcare providers have with vendors and vendor management at a recent HIMSS Media Privacy and Security Forum. It falls in line with what I have seen from family members who work in the healthcare field and from my husband who is in healthcare IT; while the clinics and healthcare facilities themselves may be taking data security seriously, the vendors they need to work with often have not even thought about it. As the old saying goes, you are only as strong as your weakest link, and when your weakest link is an outside business entity that you have no control over? That makes it impossible to mitigate your own risk. As Anahi Santiago, CIO at Christiana Care Health System vented during the forum:
“The vendors don’t get it, and they want to argue – about patch management, disaster recovery, change management – you name it. I spend a lot of time going back and forth with the vendors. But the organization understands there’s a level of risk that we can accept and there’s a threshold where we cannot.”
– via Health IT News
The fragmentation of the healthcare IT sector only adds to this frustration, because it increases the number of vendors you need to deal with in order to provide healthcare. As I discussed in Is There Too Much Diversity In Healthcare Technology?, the explosion of start-ups within the sector not only leads to duplication of services, it also leads to more relationships with outside vendors. That means more contracts to manage, and most importantly more risk for your organization. Only with the evolution of more complete software suites and the resulting contraction in the number of vendors in the field can healthcare providers begin to effectively demand an increased focus on security from those vendors.
While healthcare industries struggle to get their vendors to even acknowledge security practices as something they should be concerned about, other industries have faced this struggle in the past and now operate in a very different world. The Banking/Finance sector is one good example of the other side of this coin. If you want to be a vendor in this world, adhering to security protocols (many of which are far more stringent than the ones currently faced by Healthcare IT, although believe me that’s going to change sooner rather than later) is not something that is optional; it is required for entrance into the field. Evaluation and audits of their security procedures takes place before contracts are even negotiated. Regular audits and evaluations continue after the ink is dry, often on a yearly basis, and the findings of any external investigations or audits (say for example federal or state level examiners) are shared between the organizations. As you can imagine, all of this is an awful lot of work, so most businesses maintain a Vendor Management department, which is staffed by people whose sole purpose is to evaluate, investigate and maintain relationships and contracts with outside vendors.
Banking/Finance can command this kind of relationship with their vendors precisely because the field is a lot smaller on both sides. There are fewer vendors providing services, and there are fewer businesses demanding those services. This makes it easier and more effective for businesses to demand security and accountability from their vendors. Healthcare, on the other hand, resembles the Banking/Finance industry as it looked 20-30 years ago. It is important for Healthcare providers to demand security and accountability from their vendors, but as long as the field is so large and fractured those calls will have limited effect across the industry. But healthcare should use the evolution of banking/finance technology as a road map for getting to where they need to be.
What can Healthcare facilities do about the situation in the near term? I think Christiana Care Health Systems has the right approach. You need to evaluate your vendors carefully, and stick to your guns as far as the amount of risk you are willing to tolerate. Be willing to walk away from vendors who can’t accommodate your demands. If that isn’t possible, work with your vendors to increase security on both sides…not only will it make you safer, it will also help make them more marketable. Try framing it as something that will protect them as well; after all no business wants to be the cause of a Target-sized breach, and they will be just as much on the hook for that as you will. In the longer term, contraction in the healthcare IT vendor market will make it easier for you to demand security from your vendors.