Most risk management professionals know the adage, “An ounce of prevention is worth a pound of cure.” But in the digital age, you need more than an ounce of prevention when it comes to mitigating regulatory and reputational risk. It’s a lesson learned the hard way by one of the largest health insurers in the country when it discovered that personal data on nearly 79 million people was exposed through a cyberattack. Last fall, the company paid $16 million for non-compliance with HIPAA security rules after an investigation found that insurer lacked an enterprise-wide risk analysis process and failed to identify and quickly respond to suspected or known security breaches.
Regulatory fines only part of the cost of failed risk management
The $16 million penalty was just a drop in the proverbial bucket, however. Just a year before, the company settled litigation over the hacking incident—which occurred in 2014—for a whopping $115 million, which will be used to pay for two-years of credit monitoring for all those who had data exposed in the breach.
Beyond regulatory fines and class-action lawsuits, companies must consider hard-to-calculate costs like reputational damage and loss of trust, as well as business distraction. It’s hard to be forward-thinking and strategic when you’re looking over your shoulder all the time.
Unfortunately, hackers are just increasing the frequency and ferocity of attacks. What’s more, according to research by the Ponemon Institute, nearly 90 percent of healthcare organizations had a data breach in the past two years and 45 percent had five or more breaches. In fact, estimates based on the Ponemon study puts the cost of data breaches at $6 billion.
Moreover, healthcare-related organizations—from hospitals to pharmaceutical and bio-med manufacturers—face Risk exposure from more than data breaches.
Complex supply chains increase risk exposure—from bad actions by the third-parties they rely on to disruption due to environmental disasters. Take Hurricane Maria which hit Puerto Rico in 2017. Puerto Rico happens to be the fifth-largest territory in the world for pharma manufacturing, producing about half of the world’s top-selling patented drugs.
The country is also a major source for IV bags that hold saline solution. Months later, hospitals across the U.S. were still struggling to bring in adequate supplies, particularly because of the severe flu season that hit on the heels of the hurricane.
At the time, CBS News reported, “Days of interruption and damage to manufacturing plants are affecting international supply chains for products such as cancer and HIV treatments, immunosuppressants for patients with organ transplants, and small-volume bags of saline, which are necessary for patients who need intravenous solutions.”
As a result, some hospitals postponed elective surgeries—an area that is typically a profit-center—to conserve their short IV bag supplies for critical care.
Taking a more proactive approach to risk management
Organizations across many industries face increased risk—evolving regulations, global supply chains, viral news and more. Keeping on a healthy trajectory demands a more robust approach to Risk Management.
- Conduct risk assessments and due diligence for all third-parties prior to on-boarding
- Escalate to deeper due diligence for third parties identified as high risk
- Establish on-going risk monitoring to identify potential red flags before they strike
- Integrate standards for risk management into contracts with crucial vendors—such as a cloud provider that hosts patient data—to ensure it complies with best practices
- Maintain records of the above efforts
Risk is inevitable, but companies that respond quickly and transparently are better positioned to control the situation. How confident are you in your current process?
3 Steps to Take Now
- Download this eBook to explore the risk landscape and best practices for mitigating third-party risk in Pharma, Life Sciences & Healthcare.
- Learn how Lexis Diligence® and LexisNexis® Entity Insight helps organizations stay alert to emerging risks.
- Share this blog post with your colleagues and connections on LinkedIn.
