Why Business Partner Vetting?

ExpressoRGlobalization has been with us for a couple of decades now. Why is it then that third-party risk is exploding now? There are at least three factors in play.

The first is the sheer volume of outsourced relationships that exist, even for small enterprises. For example, in the HIPAA space, the “average” covered entity (“CE”) is said to have twenty-seven (27) business associates (“BA”). However, mid-size CEs likely have hundreds of BAs and large CEs have BAs that almost certainly number in the thousands. But the fun does not end there. Why? Because BAs also have BAs. Therefore, it does not take a polymath to figure out that third-party risk is an exponentially complex problem.

Mexicancowboysif you are a “cowboy healthcare startup” solely focused on "cool tech" and

not giving compliance and cybersecurity its just due,

then you will never cross

the chasm to play with the Big Boys. 

The second factor is that regulators are paying more attention. It seems that every day we are bombarded with news of yet another Data Breach. If your organization’s Breach makes headline news, you can bet that one of two regulators (in the U.S.) will come calling. If it is personally identifiable information (“PII”) that was breached, then the Federal Trade Commission will be knocking at your door. If it was protected health information (“PHI”) then the Office of Civil Rights will be the agency paying you a visit.

Moreover, assuming the latter, if the Breach is greater than five hundred (500) records, which is really a small Breach, your organization is going to end up on Health and Human Services’ infamous wall-of-shame. You are not going to have a good day. The bottom line is that there is significantly more scrutiny on public breaches, and that trend is not going to subside anytime soon, no matter which party controls the levers of power. Today, it is simply unacceptable to have thousands of your customers’ records available on the “dark web” for sale to the highest bidder.

That leads us to the third factor. What is the value of your organization’s reputation? Everything. That’s it. There is no other answer. If you take a big enough hit to your reputation your brand may be so damaged that no recovery is possible. Sure, if you are large CE or Big Pharma you may recover. Why? Because the latter have pseudo-monopoly market share in certain spaces. They can’t generally be disrupted out of existence. That doesn’t mean that a significant breach is a non-trivial event for a large CE. It simply means that, unlike a small-to-midsize BA, they are likely to survive the event.


ComputerSo, if you are a “cowboy healthcare startup” solely focused on technology and not giving compliance and cybersecurity its just due, then you will never cross the chasm to play with the big boys that your venture is likely depending on for its survival. The big boys understand that third-party risk can cause serious damage to their brands. They are not about to let you into the game without a thorough vetting, which will likely go beyond much more than a questionnaire, although the latter will probably initiate the process. They are also going to expect that you vet your business partners as well. Security is only as good as its weakest link. If you don’t have a good story for achieving that objective then that’s a good indicator that your cybersecurity is not where it needs to be.

The questionnaire is also likely to ask that your company produce: (1) your latest risk assessment; (2) your cybersecurity policies and procedures; (3) your workforce training plan & results; and (4) potentially any number of other pieces of information that demonstrate the rigorousness of your CyberCompliance™ program. Expresso, including our BPV Portal helps you accomplish all of this and more. Combine that with our partner’s Healthcare Startup Moonshot offering and you have the instantiation of a compliance program at a fraction of the costs (and time) that it would take to roll your own solution, or to hire consultants for hundreds of thousands in fees, only to reinvent the wheel we spent a decade inventing.


PartnerAdminScreenOn the other hand, if you are one of the big boys, and you want to significantly reduce the time it takes to vet hundreds, if not thousands, of business partners (aka business associates in the HIPAA space), then Expresso’s BPV Portal will save you the daunting costs of mailing and processing questionnaires by hand, saving tens of thousands of dollars on a yearly basis. The more business partners you have to vet the more you save. This add-on (Silver Subscription Plan) alone is worth our Subscription Plan’s price of admission. In addition, you get Expresso’s other enterprise features to boot.

With the tsunami of Data Breaches that occur on a monthly basis, from ransomware perpetuated by sophisticated criminal gangs, to state actors, and literally to mischievous kids in a garage looking for a payday, these attacks are not about to stop any time soon. Sure if you are one of the "Big Boys" you understand that you have to harden your defenses, but how do you get "satisfactory assurance" that your business partners (business associates in the HIPAA space), are doing likewise? Here's a clue, it will take more than a contract but less than a yearly onsite inspection. The latter is a practical impossibility, and the law generally never requires the impossible. The former is woefully insufficient. Hence, the industry consensus on manually propagating, retrieving, analyzing, and providing partner feedback as to the quality of responses. This practice is insidious and usually lacks organization visibility as to costs. 

One misstep by a business partner can cause your organization millions of dollars of reputation damages.  Having Business Associate Contract and/or other contracts with terms and conditions that provide for indemnification will do you little good. A major Breach will almost certainly drive a small or midsize partner into bankruptcy. We have finally crossed the Rubicon, post Covid-19 there will be far more aggressive BPV than ever before. Not because of increased enforcement by Regulators, but rather because midsize and larger players are no longer willing to roll the dice with a partner that has "cool tech" but can't even answer basic cybersecurity 101 questions.