When it comes to managing third-party relationships, the healthcare industry has some of the most rigorous and complex contractual agreements. Effective vendor risk management is essential when it comes to working with suppliers. Healthcare providers must meticulously vet suppliers and partners, ensuring that transactions are secure, data is safe, and risk is appropriately managed.
Confident Contracts – a new concept that offers an integrated approach to managing third-party risk – can minimize risk, ensure compliance, and streamline business processes by establishing a contractual relationship based on mutual trust.
So what is a confident contract, you ask? The heart of the Confident Contract is based on healthcare buyer and healthcare service provider agreeing that a small set of markers, if appropriately scoped and transparently shared, do more to clearly articulate cybersecurity risk for a vendor than hundreds of time-consuming, self-attested control questions ever could.
Just as airline passengers can jump the security line with a TSA PreCheck, trusted third-party suppliers can bypass procedural bottlenecks with a Confident Contract. It removes third-party risk management (TPRM) as a procedural issue, eliminating the need for a vendor security assessment. Having a Confident Contract in place accelerates the contracting process, especially for IT-type contracts or business relationships requiring data exchange.
The Need for Integrated Risk Management
Data security, preventing data breaches, and ensuring operational resilience are primary concerns for all healthcare organizations and are driving factors for TPRM. Additional risk assessments are needed as healthcare providers continue to onboard new vendors. Unfortunately, most risk assessments still involve a manual and time-consuming process.
Sixty percent of healthcare organizations surveyed by Kiteworks indicated that TPRM needs improvement. The same study showed that over two-thirds of organizations surveyed share content with more than 1,000 external organizations. Two-thirds also indicated that they use four or more separate systems to track and secure communications, and third parties manage most forms of email, file sharing, and web forms.
Third parties are also the most common source of data breaches. According to a Health 3rd Party Trust Initiative survey, 55% of healthcare organizations experienced a data breach in 2022 due to a third party at an average cost of $10 million per incident. The same survey revealed that 68% of HIPAA-covered entities and 79% of business associates see TPRM processes as inefficient, and 60% of HIPAA entities and 72% of business associates don’t see TPRM as effective at preventing data breaches.
The Role of the Confident Contract
Implementing a Confident Contract offers an integrated approach to managing third-party risk that is more efficient and effective. It eliminates the need for a security assessment and becomes a contract accelerator, smoothing the way for new business relationships. The Confident Contract also defines how companies work together as business partners.
The challenge healthcare organizations face is that TPRM has become inherently broken. The vendor landscape continues to expand and become more complex, the IT cybersecurity infrastructure becomes broader, and cybersecurity defenses become more nuanced. As a result, TPRM has become unmanageable. To complicate matters:
- Risk assessments and data breaches are both at an all-time high.
- Healthcare organizations require shorter contracting cycles.
- Scalability is challenging for healthcare providers and third parties.
- Incident response has become even more critical.
- Vendors are demanding more transparency and predictability.
Implementing Confident Contracts can remedy or eliminate many of these issues.
Putting the Confident Contract Into Practice
For any Confident Contract to work, there must be a clear set of guidelines and operating principles that define the mutual trust of the agreement. There are four essential elements required to achieve a Confident Contract relationship:
- Visibility – Both parties need to clearly understand risks, including any risk-relevant information that is part of the contract or the contract lifecycle. Vendors need to precisely understand what is expected of them from a cybersecurity standpoint before they engage.
- Standardization – Applying standardized terms and processes is the key to breaking procedural bottlenecks. There must be some degree of standardization from vendor to vendor, contract to contract, and client to client.
- Foundational assurance – The business ecosystem must include indicators that impact risk, have a shared way to assess those indicators, and ensure any issues have been resolved. This is the best way to move away from the laundry list of controls that slow processes and hold stakeholders captive. This is also key to achieving standardized contract language.
- Active engagement – A Confident Contract only works when there is active engagement on both sides. Both parties must commit to collaboration and transparency throughout the contract lifecycle, not just when the contract is signed.
The objective of using a Confident Contract is to eliminate lengthy assessments, an exchange of transactional information, and unnecessary red tape. A Confident Contract puts the business relationship first and ensures that relationship is built on trust and mutual benefit. But it does so without sacrificing security rigor.
The Confident Contract represents a different approach to third-party healthcare contracts and how healthcare organizations approach TPRM. It promotes transparency and makes the risk management process more integrated and efficient, resulting in better business relationships.
Implementing the Confident Contract
The best way to implement a Confident Contract is by applying technology and methodology that manages the business relationship, including TPRM, in a practical and effective manner for both vendors and customers. The combination of technology and methodology condenses hundreds of TPRM control questions into a small handful of essential security requirements to reduce the amount of paperwork and associated bottlenecks.
Using the right platform, healthcare organizations and vendors can establish visibility before the contract is initiated. This enables both parties to make informed decisions about working together before the contract lifecycle begins. The ecosystem also imposes standardization, replacing fragmented controls with a short list of indicators correlated to real risks that are meaningful to both parties. Foundational assurances are built in, with guarantees providing value to both vendors and healthcare organizations. Creating a connected digital experience also supports active engagement, delivering metrics that matter to both parties while providing a continuous understanding of risk.
Successful business relationships are built on a foundation of trust where both sides fulfill contractual obligations. Using a Confident Contract frees stakeholders from unnecessary procedures and paperwork while paving the way for a working relationship based on mutual trust and an acknowledgement of the ongoing business relationship that requires continuous transparency.
The Confident Contract is the ideal tool for establishing a new business relationship while proactively managing risk and avoiding the potential pitfalls associated with third-party engagements.
Britton Burton
Britton Burton is Senior Director of Product Strategy with CORL Technologies, which provides tech-enabled managed services for vendor risk management and compliance.