Discussions By Domain: Modernizing Risk Assessments
“Modernizing risk assessments brings life-saving health innovation to the market.”- David Barnett
David Barnett is and entrepreneur, investor, former Mayor and philanthropist. David is currently the CEO of Datafy LLC, the first platform that cuts through the complexity that healthcare providers face assessing the security of hundreds of vendors each year and vendors experience when responding to assessments that can be confusing, labor-intensive and different for each provider. David has considerable experience in leadership positions all along the corporate lifecycle from startup to public company. His M&A history includes both buy-side and sell side transactions across public and private companies.
David lives in Springfield, NJ where he was formerly the Mayor. He has been a candidate for NJ State Assembly and served on NJ Governor Phil Murphy’s Government Technology and Innovation transition committee. David is a board member of the non-profit, All Stars Project of New Jersey, and sits on several corporate advisory boards.
Hospitals, Insurance Companies, have to do an IT assessment of 3rd party providers/vendors.
The existing IT assessment are very difficult to understand, take a long time to complete, and aren’t standardized. This makes it a very large workflow issue and prevents people from working together.
Because these assessments are very important, there are processes put in place to protect patient information. Regulations such as HIPAA keeps our information safe and to sets a standard of what needs to be followed.
There is a lot that needs to happen for a vendor to be able to work in the healthcare industry. These complexities therefore impact the healthcare ecosystem, suppressing growth and inhibiting innovation.
Why is it so complex and outdated?
They are often Word or Spreadsheet (Excel) based assessments with unfocused and confusing questions. The questions asked are vague, hard to understand, and don’t get to the root of the information that a hospital may need to assess the IT security attributes of a vendor.
For the vendors, they often have to deal with assessments from multiple providers that are all different and not standardized. This makes it very difficult for these vendors to be proactive with their security and compliance. Patient data can go unprotected, get stolen or breached. This entire process effects everyone because it is lengthy, cumbersome, and slows the adoption of new technologies, which can have a lifesaving impact to individuals. Innovation officers at hospitals understand what a challenge it is for these health technology companies to get approval (averaging about 2 years).
Automate and streamline a lot of the processes to speed along the IT security approval process.
The responsibility of the hospital level is based on multiple departments: IT, Legal, Procurement, Finance, and other stakeholders. This is a very expensive and time consuming process for the hospital, so as we make this more efficient, the overall cost of healthcare can decrease.
Corsis has helped companies across multiple industries score their cybersecurity posture against industry best practices developed across the frameworks of NIST, HIPAA, HITECH, and NYDFS regulations. We use that data to identify company assets, growth opportunities, and mine all that data from the assessment to help companies along the investment lifecycle.
Hospitals could have hundreds of vendors they are sharing data with and they need to make sure that data is secure, compliant, and know who is responsible and liable if a breach occurs.
What recommendations do you have for small health practitioners, pediatrics, chiropractic, dental, that need to comply with HIPAA?
1. If they are designated as a covered entity and have patient data, they should be performing internal IT security assessments.
2. Annually they should be performing an assessment with an established process/roadmap.
3. They should designate a HIPAA compliance officer who performs the assessment. Then do an assessment of the vendors that they share PHI (Personal Health Information) with.
4. If an issue (data breach) happens and they are audited, the first thing that they will be asked for is their policies and what they have done to proactively protect the data.
5. The biggest issue is the misunderstanding of the questions and that creates a ton of friction between the vendors and customers.
“Have the appropriate team to combat a ransomware event.”– Brian Burke. Read more about what Brian Burke of The Cypsis Group has to say about defending against ransomware attacks.
“The fluidity of your strategy has to be all-encompassing.” – Christian Amato
“Today’s internet solutions need to be built for network diversity, resiliency, and performance.” – Victor Cardona. See what else Comcast’s Victor Cardona had to offer on this weeks Discussions by Domain podcast.