ILLUMINATING THE

TOP GLOBAL RISKS

IN 2020

Regulatory Changes and Talent Challenges Are Top Concerns for

Healthcare Delivery Organizations
AI, robotics and other rapidly developing digital technologies. Changes in the geopolitical landscape. Shifting
customer preferences and demographics. Record lows in unemployment, tightening labor markets and escalating
competition for specialized talent. Cyber breaches on a massive scale. A strong U.S. dollar.

These and a host of other significant risk drivers are contributing to the risk dialogue in today’s boardrooms and
executive suites. They highlight the influence of the economy and digital disruption on the risk landscape.

The need for greater transparency about the nature and magnitude of risks undertaken in executing an
organization’s strategy continues to be high as the expectations of key stakeholders regarding risk management
and risk oversight remain strong. Pressures from boards, volatile markets, intensifying competition, demanding
and potentially disruptive regulatory requirements, changing workplace dynamics, shifting customer preferences,
uncertainty regarding catastrophic events, and other dynamic forces are leading to increasing calls for
management to design and implement effective risk management capabilities, as well as response mechanisms
to identify, assess and manage the organization’s key risk exposures.

In this eighth annual global survey, Protiviti and North Carolina State University’s ERM Initiative report on the top
risks on the minds of boards of directors and executives. Our respondent group, which includes 1,063 board
members and C-suite executives from around the world, provided their perspectives about the potential impact
over the next 12 months of 30 risk issues across the following three dimensions:

• Macroeconomic risks likely to affect their organization’s growth opportunities

• Strategic risks the organization faces that may affect the validity of its strategy for pursuing growth
opportunities
• Operational risks that might affect key operations of the organization in executing its strategy

Internal Audit, Risk, Business & Technology Consulting

Commentary — Healthcare Industry Group
The risk landscape for healthcare delivery organizations (e.g., physician groups, hospitals, post-acute and
ancillaries) is significant on numerous fronts, according to views shared by board members and C-suite
executives in the industry. In this white paper, we offer our commentary on the 10 risks most often cited by
leaders, including implications and strategies for effective risk management. The chart below shows 10 of those
top risks.

Top 10 Healthcare Risks for 2020

Protiviti ● 2
“As healthcare organizations look forward to 2020, the risk profile has a familiar appearance.
The industry not only faces change on the regulatory, privacy and digital fronts, but it also is
contending with human capital challenges and internal change resistance. As increased
transparency looms on the horizon, healthcare leaders can expect increased competition
for services.”

Richard Williams, Managing Director, Healthcare Industry Leader, Protiviti

1. More regulatory changes and heightened scrutiny

In 2020, regulatory changes and heightened scrutiny will continue to shape the Healthcare industry and impact
not only how organizations identify, address and manage risks, but more importantly, how they deliver care.

Regulatory compliance will remain a top concern in several areas, including, but not limited to, billing and
reimbursement; fraud, waste and abuse; physician compensation; and the opioid crisis. In 2019, the Healthcare
industry saw significant regulatory and enforcement actions that will impact healthcare organizations in 2020.
Those actions include several Final and Proposed Rules issued by the Centers for Medicare and Medicaid
Services (CMS); increased fraud, waste and abuse actions from the Department of Justice (DOJ) and the Office
of Inspector General (OIG); and the Health and Human Services (HHS) Office for Civil Rights (OCR) settlements
that continue to take penalties past the US$100 million mark. In 2020, new mandates and regulations that were
born in 2019, such as President Donald Trump’s executive order mandating hospitals to provide healthcare prices
to patients and consumers to improve transparency, will take effect, leaving healthcare providers responsible for
mandates entirely new to the industry. The coming year will also bring new areas of risk as trends, such as patient
care innovation, telehealth and transitions to value-based care.

Finalized changes to the CMS Conditions of Participation (CoPs) will face increased scrutiny from regulators,
affecting many different providers by challenging accreditation status through a greater focus on patient rights,
complaints, grievances and the overall patient experience. For example, CMS released its Discharge Planning
Final Rule, which requires acute and post-acute care providers to focus on patient goals of care, rights to medical
records and the discharge planning process as a new CoP.

On the provider-based billing front, hospitals with grandfathered provider-based departments may benefit from
potential financial recourse in the coming year, resulting from the U.S. Court of Appeals for the District of
Columbia Circuit’s determination that CMS’s 60% reduction in reimbursement of clinical services paid to
grandfathered off-campus provider-based departments was improper. Although the effect of the court’s decision is
not entirely clear, CMS is expected to resolve both past and future reimbursements furnished at these sites.

Regulatory changes regarding physician compensation and fraud and abuse are expected to take shape as well,
as CMS proposed changes to the Anti-Kickback Statute and Stark Law, further supporting care coordination and
promoting efforts to improve quality and patient outcomes. If finalized, many of the proposed changes include new
exceptions for physician compensation arrangements, such as an exception for physicians to participate in value-
based care arrangements and payment models.

Protiviti ● 3
The OCR has not demonstrated signs of slowing the pace of its privacy and security enforcement actions,
emphasizing equal enforcement actions for both small- and large-scale data breaches. This raises the
significance of third-party risk management and the existence of business associate agreements (BAAs) in place,
as well as the importance of patient access to information, as the Healthcare industry continues its drive toward
the goal of coordinated care.

Other significant government enforcement actions that likely will remain in 2020 include penalties to post-acute
care providers, inpatient rehabilitation facilities, drug diversion fraud stemming from the ongoing opioid crisis,
violations of the 60-Day Rule governing overpayments, and unauthorized disclosures of protected health
information (PHI) on social media.

As the DOJ, OIG and OCR continue to enforce penalties and fines against healthcare organizations for fraud,
waste and abuse, and privacy and security violations, overall compliance program design and effectiveness are
only becoming more important for healthcare organizations to have. In fact, many healthcare organizations are
successfully using compliance program effectiveness assessments as a mitigating factor to address and adapt to
regulatory change effectively. They are also identifying and addressing noncompliant practices in their early
stages by performing risk assessments, implementing appropriate controls, and conducting auditing and
monitoring activities. Incorporating compliance risk as part of a greater enterprise risk management (ERM)
function is crucial due to the vast number of rapidly emerging and complex compliance changes happening
across the Healthcare industry, which are making it increasingly harder for healthcare organizations to manage
risks proactively.

2. Succession challenges and the ability to attract and retain top talent
According to the U.S. Bureau of Labor Statistics, U.S. unemployment has reached its lowest rate since 1969.
Relatively low unemployment levels prevail in many other regions worldwide as well. While this could be seen as
a positive driver for economic performance, low unemployment rates actually create a new set of challenges for
healthcare organizations looking to take on ambitious strategic objectives. While establishing a comprehensive
retention strategy remains a top priority, healthcare organizations now must take a contemporary approach to
organizational development, one that is not focused solely on marketing to and recruiting new talent, but also on
developing and retaining existing internal talent.

Cultivating organizational talent is imperative for healthcare organizations looking to escape the current talent
shortages unscathed. Instead of only targeting candidates with specific skill sets, healthcare organizations should
consider defining and developing talent that will support their future initiatives and goals. This approach enables
the business to further develop its overall direction and identify and cultivate existing talent.

Should internal talent cultivation fall short of operational goals, another option is to recruit workers from
nontraditional talent pools. For example, companies such as Google and Facebook have loosened their once-
stringent recruitment standards to access professionals with valuable, if not necessarily core, skill sets and then
provide those hires with additional training. Targeting professional associations, along with hiring based on soft
skills that are difficult to teach, opens a pathway to a previously untapped and broader talent pool. This approach
to recruitment not only helps to create diverse populations of thought but also lessens instances of employees
coming into an organization with “bad habits” that are difficult to change.

Protiviti ● 4
Despite the difficulty of attracting and retaining top talent, healthcare organizations will also want to focus on
fostering a culture of engagement that involves physicians, nurses, clinical staff, executives, administration and
even the associated boards of these organizations. One oft-cited quote by management expert Peter Drucker
clearly underscores the importance of having this focus: “Culture eats strategy for breakfast.”

What does an engaged workforce look like in the Healthcare industry? It is an environment where employees (1)
have a personal connection to the mission and values of the organization; (2) are empowered to make decisions
that best serve patients; (3) feel valued and recognized; and (4) are encouraged and supported in their ongoing
development. The resulting benefits include higher retention rates and performance levels. More specifically,
highly engaged employees have a positive impact on the patient experience and overall quality of care.

Healthcare organizations must continue to innovate their recruitment and retention practices to ensure they have
a steady pool of talent to help them make progress toward achieving strategic objectives. Establishing a culture of
continuous learning, ensuring employees are engaged in fostering a positive culture, and embracing
nontraditional talent pools can not only reduce challenges surrounding identifying appropriate successors, but
also serve as a catalyst to increase employee morale and strengthen the organization’s position as a best place
to work.

3. Privacy/identity management and information security

Scrutiny on protecting sensitive information continues to increase, while the seemingly ever-changing threat
landscape has the Healthcare industry struggling to keep pace. For the most part, those in the healthcare delivery
segment recognize the importance of protecting patients’ health information and just how critical it is to do so —
not only because of confidentiality concerns but also the evolving implications to patient safety. However, the
plethora of third parties with which healthcare organizations interact do not consistently possess the same
understanding and appreciation for their role in helping to protect this information. As healthcare organizations
rely more on outsourced technology services and third-party partnerships, many struggle to find a balance among
responsibility, accountability and constrained resources. Not only do they have to make sure they are protecting
patient information, but also that third-party partners are doing the same.

Given the significant investments that many healthcare organizations have made in recent years to improve their
security and privacy posture, it is not surprising that leadership is growing somewhat tired of hearing, “We need to
spend more money to protect ourselves properly.” It’s a never-ending battle: The organization takes steps to
protect itself, the bad guys change their tactics and the vicious cycle repeats. Healthcare organizations must
come to grips with this reality to a degree, but it doesn’t mean surrendering to constant attacks and breaches. Yet
the Healthcare industry, as a whole, is struggling mightily with the fact that significant resources are required to
continue waging this battle from a people, process and technology perspective.

Further compounding matters, as healthcare moves toward more widespread adoption of true digital
transformation initiatives — such as robotic process automation (RPA), advanced analytics, telehealth, artificial
intelligence (AI), machine learning and wearables — the threat landscape will also grow. Without question, the
industry will face new and emerging risks in the future that will be even more challenging than those of today.
Along the way, healthcare organizations will need to assess, and realistically manage, their resource constraints.

Protiviti ● 5
4. Resistance to change operations
Clinical and operational performance is also top of mind for healthcare systems and executives. The pressure is
growing on healthcare organizations to lower costs, increase market share, improve clinical outcomes and
eliminate waste. If it were simply a matter of changing processes to achieve these goals, healthcare organizations
could implement best practices and move on. This is why culture matters; it impacts an organization’s ability to
make the necessary adjustments to clinical practices and operations.

But change management is difficult, and cultural challenges remain considerable roadblocks in creating the
change needed to achieve operational excellence. Changing behavior requires letting go of long-held habits that
are familiar and comfortable. That can incite fear among employees that they are at risk of losing something they
value. Regardless, healthcare systems must continue to evolve and transform, and that requires changing clinical
practices, operations, behaviors and habits. Healthcare organizations need to establish a clear vision of why
change is necessary and understand the key components of change management.

Most organizations will set annual goals and roll out key priorities that impact changes to technology, people,
processes, habits, beliefs, resources, budgets and cultures. Due to the complex environment of most healthcare
organizations, they typically use a top-down approach to implement change. Practices are reviewed based on the
literature, solutions are developed, and new practice guidelines are deployed. And many healthcare organizations
will adhere to this same process without achieving effective implementation of the desired changes.

Overcoming resistance to change requires alignment of clinical, administrative and economic goals. Creating
alignment is dependent on developing a deep understanding of what happens on the front line, where work is
performed and delivered. This requires a change in approach, from strategic planning to one of cultural alignment.
Using the top-down creation of annual goals with a bottom-up design of solutions is a more effective way to
overcome resistance to change. It is this creative design approach that yields positive change and sustains it over
time. Leaders develop strategic goals and implement operational improvements. Great leaders engage their
teams at the beginning and understand the importance of culture in achieving goals. Healthcare organizations
that have led transformation and innovation programs successfully are not confined by traditional approaches;
instead, they embrace disruption led by the frontline clinicians and staff.

Before charging ahead with developing solutions that require changes in processes or people, it is essential to
gain clarity about the problem that needs to be solved. Healthcare organizations should research the perceived
shortcomings and visit locations where work is being performed to gather firsthand knowledge of the current state.
They should also set aside assumptions and beliefs to gain a more nuanced understanding of how work is
currently being completed — and why. It is also important to gather intelligence from data. Data analytics is the
lifeblood of modern healthcare, driving clinical outcomes, reimbursements and effective operations. Achieving
change in the Healthcare industry hinges on providing solid evidence that the change is required.

To overcome barriers to change, many healthcare organizations can benefit from employing a new framework for
thinking about change management. This framework should include employing an effective change management
process using a step-by-step approach that incorporates proven techniques and tools, such as lean management,
lean process improvement, design thinking and data analytics.

Protiviti ● 6
Of note, one major challenge organizations face in achieving desired changes is how best to influence a highly
educated and independent workforce. Engagement in research, involvement in idea generation and participation
in solution design are the cornerstones to making change stick. Management must evolve from problem-solver to
facilitator and move from trying to create a perfect solution to co-designing solutions using an iterative process. It
is useful to have a mindset that is tolerant of failing small and failing fast until a workable solution is developed.
Engaging with frontline staff and clinicians to design solutions and create lasting change results in higher
employee and provider satisfaction and retention.

In the Healthcare industry, competitive advantage comes from the ability to adapt, transform and innovate — and
to do so better than other organizations. The convergence between change management and innovative problem-
solving can generate breakthrough ideas and is a proven way to garner buy-in from even the most recalcitrant
person to changes the organization needs to make. Healthcare organizations will have a competitive advantage
when they leverage their teams to both (1) understand the problem (based on facts and data), and (2) design
sustainable solutions with widespread support.

5. Existing operations meeting performance expectations, competing against “born digital”

firms
Today’s healthcare landscape is changing rapidly in terms of how and where care is delivered, as well as how the
payment for care is rendered. To keep up, healthcare organizations are investing heavily in cutting-edge
technology to manage these changes and meet consumer demand and expectations for “connectedness” through
digital capabilities. Digital innovation translates to improved business performance through innovative products
and services, stronger relationships with customers, and enhanced operational performance and decision-
making. One limiting factor for many healthcare organizations is that their existing operations and legacy IT
systems and infrastructure can’t support digital innovation in terms of quality, speed to market, and cost in relation
to direct competitors and non-Healthcare industry disruptors (e.g., Amazon, Apple, Walmart).

Traditional healthcare organizations must adapt their core business and create new business models to keep
pace with emerging, digitally focused companies. As the number of “born digital” companies expands, the
competition for customers demanding higher quality and lower costs intensifies. For healthcare organizations, the
pressure is on to invest in emerging technology, replace legacy infrastructure and systems, embrace the cloud,
create customer-facing websites and apps, and roll out other innovations. At the same time, managing digital
transformation comes with risks that healthcare organizations must address to remain in business and achieve
their growth and profitability goals for the future. These risks come in the form of data and cybersecurity, legal,
regulatory compliance, system interoperability, and reimbursement, to name just a few.

6. Technology advancements to support patient care exponentially increasing cyber threats

Cyber threats are another top concern for the Healthcare industry, beyond the pressure to protect PHI from
malicious hackers and other bad actors. These threats are always expanding, especially as healthcare
organizations continue to grow and evolve their systems with additional components, including specialty care
delivery models; the build-out of more expansive accountable care organizations; the alignment of partnerships or
acquisitions; the growing use of new technologies and devices that are connected in a multifaceted approach to
the care delivery model; and the collection of information into massive data warehouses. There is also a growing
focus on making the patient the center of the delivery model and empowering them to interact with their health
information. All of the above initiatives add to an already complex business model when it comes to trying to
manage a cyber and information security program effectively.

Protiviti ● 7
The complexity and explosion of technology, the need for fast access to vast amounts of sensitive information to
provide care and determine potential health outcomes, and the push for interoperability across healthcare
organizations are all expanding the potential risk for cyber threat exposure at a rate that is challenging for even
the most mature organizations to manage. Applications and devices with known security flaws that cannot be
patched, updated, or fully retired are another issue. Many of these apps and devices may be the only technology
on the market to meet specific healthcare delivery needs for certain care specialties. Or, they may have involved
large capital outlays, where the vendor has failed to provide or allow for ongoing security updates (as is the case
with many medical devices).

While the Healthcare industry is dealing with the ever-expanding use of new technologies, along with all the cyber
threats and risks that accompany them, organizations are further hindered by a significant shortage of skilled IT
resources to help address these issues. As a result, many organizations lack detailed plans for responding to
identified cyber incidents.

Many healthcare organizations that are more mature in addressing cyber threats have had success in managing
the complexity of technology expansion. They have formal governance and assessment processes that include
tight alignment with the information security group in assessing new business initiatives and technologies that
include connectivity, control and security aspects. Additionally, these organizations are performing ongoing risk
analyses, including regular vulnerability scanning and multifaceted penetration testing efforts to identify new areas
of vulnerability. They also have implemented processes and controls to allow for proper incident response and
contingency planning should key incidents occur.

7. The influence of culture on risk awareness and effective risk response

Respondents to our global risk survey continue to highlight the need for attention on the overall culture of the
organization to ensure it is sufficient to encourage the timely identification and escalation of risk issues.
Interestingly, this has been a top 10 concern in our survey since 2015. It highlights the fact that with the speed
and complexity of the changing landscape of the Healthcare industry, many organizations feel like they are
continually fighting fires instead of proactively managing risks, and therefore struggle to focus their efforts on
performance and executing strategy.

Is there a sufficient platform for employees and management to promptly raise awareness of risks or escalate
issues that could pose a threat to the achievement of organizational goals and objectives? In many cases, the
conventional methods of communicating significant risk do not seem to be a coordinated effort. The traditional
platforms for reporting risk are usually risk committees, internal audit, compliance, compliance committees and
the catchall — the corporate hotline, which is often seen as a forum to raise concerns related to human resources
issues. Among the host of other committees at healthcare organizations, is there alignment of risk issues that
should be presented to and be resolved with the board, senior leaders and employees? Is there a platform for
committees or department leaders to share risks openly across functional lines? A coordinated, streamlined
process for evaluating, exposing and proactively mitigating potential risks in a timely manner means that everyone
in the organization understands the concept of risks, shares a common vocabulary, and sees risk assessment,
management and mitigation as part of their job. Organizations that can proactively anticipate, adapt and respond
to change will be successful in achieving strategic objectives.

Protiviti ● 8
One approach to addressing risk is implementing an ERM process. An effective ERM program provides
management with relevant information — regarding risks, uncertainties and opportunities — that could influence
decision-making during strategy- and objective-setting and performance management. The recently updated
COSO (Committee of Sponsoring Organizations of the Treadway Commission) ERM — Integrating with Strategy
and Performance Framework emphasizes integrating risk with decision-making, recognizing the important
interconnection between risk, strategy and enterprise performance. Whether healthcare organizations have robust
ERM programs in place or have yet to create a program, the updated framework serves as a solid foundation for
either testing current efforts or providing direction for future efforts.

8. Sustaining customer loyalty and retention increasingly difficult due to evolving customer
preferences and/or demographic shifts in existing customer base
A simple principle of customer loyalty and retention across any industry has always been, simply, to be the best at
what you do. However, this concept of “best” proves difficult in the Healthcare industry, as it relies heavily on
patient perception and does not necessarily follow procedural and/or health-related outcomes to establish this
precedent. A 2018 study published in the Journal of Multidisciplinary Healthcare revealed that patients’ perception
of care quality was most affected by person-related conditions, such as time with care staff or staff attitudes, and
external objective care conditions, such as technology or the cleanliness of facilities. Today’s patient is
technologically savvy, expects convenience and demands transparency in all transactions. As demographics
continue to shift, along with customer preferences for the delivery of care, understanding the future and ongoing
needs and expectations of patients will prove pivotal to ensuring their loyalty.

Retail organizations have mastered practices surrounding customer loyalty and retention, especially in an industry
where ongoing battles with competitors are common. While most industries can borrow and mold the majority of
these concepts to fit their needs, this is not as easily transferable within healthcare. So, how do healthcare
organizations balance concepts such as customer loyalty, customer retention and brand loyalty while continuing
to deliver quality outcomes as they relate to patient care? The better question is this: What do organizations stand
to lose should they not dedicate the necessary personnel to enforcing these concepts? Multiple studies show that
it is more than twice as expensive to acquire new customers than to focus on their ongoing retention.

The Healthcare industry has seen an uptick in acquisitions, mergers and collaborations over the last several
years, which also makes brand loyalty another important concept. Ensuring patients can identify additional
avenues by which they may access care not only benefits the organization, but also aids in reducing barriers to
care. Brand loyalty also addresses how healthcare organizations are perceived within the marketplace.
Enhancing the relationship between organizations and patients has perhaps led to the additional focus we have
seen within patient experience functions across the United States. According to the Beryl Institute, 82% of
healthcare organizations have some focus on patient experience.

The customer’s experience from the very first contact with a healthcare organization will ultimately determine that
customer’s loyalty and directly contributes to their retention. Overall, healthcare organizations should take stock of
how they are managing their patient populations and curating communications with key segments. Quick wins can
typically be found through analyzing patient feedback or looking for ways to streamline processes related to the
financial experience, patient wait times and scheduling.

Protiviti ● 9
9. Big data and analytics — knowing what’s there and what to do with it
As technological innovation accelerates, there is an expectation that people will work smarter and faster and
processes will become more efficient. Another expectation is that organizations will do more with less. The
Healthcare industry is no exception, and there is a general perception that healthcare systems have fat to trim.
Through various pay-for-performance programs and cost-reduction initiatives, most healthcare systems have cut
costs and addressed low-hanging fruit to the fullest extent possible. Now, they are trying to figure out how to run a
more efficient operation, with fewer resources, that will result in higher quality that can be definitively measured.

It's no secret that the Healthcare industry is significantly behind other industries when it comes to data analytics.
Many health systems are still operating outdated software that does not support innovation and can produce only
the most basic reporting. And yet, the data locked within these systems is quite possibly the most valuable data
that exists across all industries, as it has the potential to save and enrich many lives. In an era where the overall
reimbursement pool is shrinking and payment models are shifting toward rewarding outcomes rather than the
provision of services, data is key. Healthcare organizations that realize this and can capitalize on it will be well-
positioned to survive and thrive in the future. Those that ignore this reality or remain unable to utilize data in a
meaningful way likely will not do as well.

Data in the Healthcare industry is largely siloed (across competing organizations, and across departments within
the same organization). That results in many care decisions being based on incomplete information. Thanks to
regulatory security and privacy concerns, much of the Healthcare industry has defaulted to building walls around
data rather than finding ways to legally share information in a manner that is in the best interest of all involved.
The value and overall quality of analytic results rely heavily on the availability and sharing of data so that
conclusions can be reached based on a data set that considers the overall population. The more limited the data
set is, the greater the chance that poor conclusions will be reached.

“Big data” is a common buzzword in the Healthcare industry, and healthcare professionals recognize the pressing
need to make use of data analytics to support and guide improvement initiatives. The challenge is not necessarily
the availability of data, though. Rather, it’s how to use the vast amount of data that is available. Nobel Prize award
winner Herbert Simon aptly stated: “The wealth of information creates a poverty of attention.”

With increased access to powerful data analysis software products, cloud provider services, and the expanded
capabilities of Microsoft Access and Excel, the ability exists for people across the entire healthcare organization
(not just in finance or decision support) to analyze large amounts of data in ways previously unimaginable. Power
BI, Tableau and other data visualization software tools enable data to be aggregated quickly and presented in a
visually appealing way. Also, innovative technologies such as process mining, RPA and even AI will play a role in
the future of healthcare. However, in the absence of a clear vision and well-conceived plan, efforts to utilize data
or extract anything meaningful from it will very quickly become overwhelming. Without the right plan, healthcare
organizations are at risk of spending precious time, energy and resources only to end up with shiny new reports
or dashboards that have visually enhanced charts and graphs, but no real actionable information.

Protiviti ● 10
10. Risk tolerance and acceptance — alignment between third parties and providers
There is a growing need in the Healthcare industry to focus more on improving how vendor and other third-party
relationships are managed. Healthcare organizations are engaging a wide range of partners that either provide or
support many key functions — from IT solutions to outsourced departments to joint ventures — all of which can
have a direct impact on costs and revenues, and the ability to meet overall organizational targets and goals.
However, many healthcare organizations overlook the importance of a formal management process for engaging
and overseeing these third parties effectively.

The Healthcare industry has seen an explosion in the number of vendors and joint ventures that aim to provide
specialty care services, consumer interactions, software, tools, technology, connected devices, web applications,
mobile applications and more. Healthcare providers are looking to find the right approach to using these
technologies and third parties to provide the best care and service to their patients. Third-party management is
ever more important given the significant risk these additional parties can introduce from a reputational, legal and
regulatory aspect, as well as their potential to make business models even more complex.

The HHS Breach Portal shows a significant number of cases and associated patients affected by a breach that
involved a vendor/third party (business associate). When such a breach occurs, the responsibility for notifying all
patients ultimately resides with the covered entity from where the electronic protected health information (ePHI)
originated. As a result, it is likely that the covered entity will have their name somehow associated with the
breach, such as in headline news. The HHS OCR continues to point to vendors and associated BAAs as key
areas of deficiency based on their investigations and associated Health Insurance Portability and Accountability
Act (HIPAA) violation settlement agreements.

Ideally, effective third-party management leverages a risk-based approach that takes into consideration many
different risk factors of the third party or vendor. Security controls and BAAs are only one aspect. Healthcare
organizations should also consider business use and criticality (the impact to the business or on the patient due to
being without a service, technology, or another need, and for how long); pervasiveness of the use in the
organization; availability, use, and portability of the data; third-party support needs; overall cost, spend and
revenue; the expected customer and patient impact; and so on.

Taking these factors into consideration and assigning a risk rating to third parties allows the organization to
provide a more focused approach to how it monitors and manages third parties on an ongoing or periodic basis,
from the contracting process through to termination. Establishing assigned responsibilities and a defined but
flexible process for monitoring these third parties is necessary for healthcare organizations to manage financial,
regulatory and reputational risks, as their use of third parties continues to expand.

Closing Thoughts and Looking Ahead

The Healthcare industry is transforming at a rapid pace. Those agile healthcare players that have sound risk
management practices in place will likely have a competitive advantage. This will involve the board employing
effective risk oversight practices, management continually assessing and deploying risk mitigation efforts, staff
who are empowered to both identify and manage risks, and third-party partners that have a strong risk
management mindset. 2020 commences a new era for the Healthcare industry, and those organizations taking
proactive steps toward this future will be ahead of their peers.

Protiviti ● 11
About Protiviti
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and
unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned
Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk
and internal audit to our clients through our network of more than 70 offices in over 20 countries.

We have served more than 60% of Fortune 1000® and 35% of Fortune Global 500® companies. We also work
with smaller, growing companies, including those looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of
the S&P 500 index.

Contact

Richard Williams
Managing Director, Healthcare Industry Leader
+1.214.395.1662
richard.williams@protiviti.com

© 2020 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans.

Protiviti is not licensed or registered as a public accounting firm and does not issue opinions
on financial statements or offer attestation services.