Because of the sheer volume and specialized nature of healthcare IT vendors these days, onboarding and managing new business partners can tend to be cumbersome for larger healthcare providers. Manually analyzing each vendor’s risk levels and ensuring they’ve signed all of the necessary contracts can get in the way of other important daily tasks.
Healthcare organizations are beginning to perform automated risk analyses on vendors and keep track of compliance through governance risk and compliance (GRC) platforms. Perhaps keeping track of all this data may be an attainable goal for small provider, but Intermountain Healthcare was still searching for a way to best manage all of its vendors as recently as two years ago. For context, Intermountain is a large integrated healthcare company based out of Salt Lake City with 22 hospitals, 185 clinics, about 1,300 employed physicians and a user base of 50,000 or so.
Torsten Larson, IS Security Manager, Governance, Risk, Compliance team at Intermountain Healthcare told HealthITSecurity.com that the main challenge was that trying to get risk reviews and assessments for individual vendors lined up was time-intensive.
Finding a way to automate some of these things would make it much easier to be able to do an objective risk analysis. From there, we would do a full security review if we choose that vendor. It had been very time-consuming, as I was spending a great deal of time on the phone with vendors with their tech people to figure out how their application worked or interfaced with our local infrastructure.
With Larson spending a great deal of time with vendor management, he said Intermountain saw Rsam as a way to drive some of that time down by allowing the vendor to go in on their schedule to fill the necessary requirements. Intermountain selected Rsam in 2013 to automate Vendor Risk Management and later Enterprise Policy Management, Risk Register and Access Control Review.
Rsam is a platform-based technology that helps automate GRC processes for these organizations, according to Vivek Shivananda, CEO of Rsam. It uses 10 modules total that, for example, automate compliance assessments, risk management policies and vendor risk. Customers can pick and choose these platforms and consolidate their own applications on the Rsam platform.
Ideally, using the platform would allow its healthcare customers to be able to look at technical vulnerabilities and compliance gaps holistically and Larson said there were a few factors that helped Intermountain choose Rsam. In terms of data gathering, whether it’s through a spreadsheet or an access database, he said Intermountain didn’t have something that centralized access or allowed external vendors to provide data in a secure manner.
When the HIPAA Omnibus Final Rule came out in 2013, it really changed the dynamic of how you deal with your business associates (BAs). It put more responsibility on both parties to be able to identify how data was going to be stored and how the relationship was going to work. Those two factors led to us looking for something that could help in that area.
Intermountain Healthcare has since expanded its Rsam GRC program with new integrated risk and security management offerings.