3rd Party Risk Management , Governance & Risk Management , Healthcare
Third-Party Risk Management: A New Model for Healthcare
ProcessUnity's Hasert on Adapting to Modern Needs in Third-Party Risk ManagementHealthcare organizations are increasingly moving away from outdated methods, endless spreadsheets and repetitive requests in favor of more modern, efficient approaches, said Shane Hasert, director of threat research and cyber security standards at ProcessUnity. Hasert described the current state of third-party risk management as "promising" and "a little bit more in with the times."
See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape
Although many firms have implemented initial onboarding processes for third-party vendors, ongoing monitoring is "one of the bigger problems right now." Hasert recommended an innovative model that supports third parties and customers by sharing data efficiently. The new model focuses on continuous monitoring, effective threat intelligence and AI-powered automation in helping streamline processes and enhance security.
"A lot of organizations don't engage threat intelligence or use active threat monitoring, and they don't realize until after a breach has occurred that they should have been watching this vendor," he said. "The new model is to help the third parties and the customers. The customers need the data and the third parties need to do something once and be able to share it with many." This approach reduces assessment fatigue and enables organizations to focus on high-risk vendors.
In this video interview with Information Security Media Group at the 2024 Healthcare Cybersecurity Summit, Hasert also discussed:
- Overcoming challenges in third-party risk management;
- The need to shift from traditional assessment methods to innovative models that reduce assessment fatigue;
- The role of AI in enhancing third-party risk management.
Hasert has nearly 30 years of experience in risk identification and mitigation, audit process improvement, and client-focused consulting. Prior to ProcessUnity, he worked at CyberGRX, Randian and Shared Assessments.