Vendor Risk Management: The ShortfallsSurvey Shows How Healthcare Sector Stacks Up
The healthcare sector lags behind the financial sector when it comes to the maturity of vendor risk management programs, a new study confirms. Risk management experts Rocco Grillo and Gary Roboff analyze the work yet to be done.
Although the healthcare sector, like the financial sector, is heavily regulated and has been facing increasing cyber-attacks over the last year, healthcare organizations' vendor management strategies "are not as mature as you might expect," says Grillo, a managing director with the consulting firm Protiviti. Grillo and Roboff discussed the recently released 2015 Vendor Risk Management Benchmark Study in an interview with Information Security Media Group.
The study of more than 450 executives was conducted by Protiviti and the Santa Fe Group's Shared Assessments Program to examine the quality of risk management programs organizations in various sectors have for their third-party vendors.
The study found that organizations across the board still have a long way to go to improve their vendor risk management programs to reduce risks.
"Financial services has been leading the charge in vendor risk management," Grillo says. "Given the attacks and data loss we've been seeing in the healthcare space, [a] focus on third-party or vendor risk is an area where we would've liked to have seen stronger results. That's not to say the healthcare arena isn't taking cybersecurity risk seriously ... but we would've expected to see a lot more ... emphasis around third-party vendor risk management."
One of the problems is that "resource levels are not anywhere near where they need to be" for managing cyber-risks in healthcare, as well as in some other sectors, says Roboff, a senior adviser to the Santa Fe Group.
But Roboff predicts: "Over the course of the next year, there will be significantly greater levels of resources put against these [cyber-risk] issues."
In the interview, Grillo and Roboff also discuss:
- Lessons that the healthcare sector can learn from other industries about vendor risk management;
- Common weak spots in vendor risk management across various industries and how those gaps can be addressed;
- How different levels of professionals, middle-management and c-level executives view the maturity of vendor risk management programs at their organizations.
In his role as Protiviti's managing director and global head of the firm's incident response and forensics investigations practice, Grillo provides clients with cybersecurity and risk management services.
In addition to his role as senior adviser, Roboff is manager of the Santa Fe Group's Shared Assessments Program, which provides third-party risk management services. He was a founder of the International Security Trust and Privacy Alliance.