Censinet and KLAS: Making it Easy to Assess Cybersecurity Preparedness

Effective healthcare delivery involves a lot of moving pieces with third-party products, devices, and services across all areas of the system. When seen as a whole, this array presents a substantial attack surface for those targeting healthcare systems to get access to highly valuable information.

Anytime healthcare organizations bring on a piece of software or a services arrangement with outside companies, they bring in more risk to the organization. This is not news to any who are involved in healthcare security, such as the CISOs who likely lose sleep over these challenges.

KLAS is also very much aware of the problem, and we’ve wanted to help providers in this space for some time. Our original approach to this challenge was to bring transparency to the industry. We wanted to know how well the vendors and firms performed that do this type of work. But as we began working on the project, we realized we could have a broader impact by partnering with one of those organizations to share that information.

So KLAS is partnering with Censinet, a company that specializes in managing cybersecurity risk for healthcare organizations. Our aim here is to help organizations quickly gain a deeper understanding of their cybersecurity risk challenges and then mitigate that risk. This partnership is critical because it offers a new approach that streamlines the risk assessment process for all involved.

Solving the One-to-One Approach

The problem with assessments, historically, is every time a health care organization wants to engage with a new company, it's a one-on-one approach. You give them forms to fill out to understand their security practices. Your team goes through an often long and painstaking review process with them to make sure everything looks good before signing a contract.

The benefit of moving toward the Censinet model is rather than it being a one-to-one process, that can be a one-to-many process. Software and services companies working in the healthcare space can fill out a complete no-cost assessment once. Then, KLAS shares high-level findings from participating companies on components like network security, data protection, and identity and access management. In this way, many healthcare organizations can benefit from the work that has already been done.

The other factor here is getting organizations this information prior to making a software or services decision. Often, the organization does an RFP, selects a software or service, and then goes to their security team for a risk assessment. But the organization has already decided what they want, so the security team can feel like they are tied to it, no matter the results.

Now providers can have a vendor’s security information right in front of them when they look at vendors on the KLAS website. They can look at customer satisfaction alongside the security posture of the vendors, and we think that is really valuable.

Simplifying the Process

Censinet’s approach helps healthcare organizations simplify how they address risk in many ways. Here are just a few:

1. The assessment covers the unique demands of healthcare. Specific questionnaires for the product or service eliminate questions that don’t make sense in the industry based on NIST cybersecurity framework 1.1, ISO 27001, HIPAA, and cybersecurity best practices.
2. It reduces average assessment times and frees up staff. The average assessment time goes from 44 days to less than 10. One healthcare organization reported that they were able to significantly reduce the number of employees needed to focus on third-party risk management and were able to move them to other projects.  
3. The quality of assessments increases. Censinet’s process makes it possible to ensure that every assessor in the organization delivers consistent and in-depth results across all potential third-party products and services.
4. The process reduces provider and vendor friction. The automated process provides complete visibility to both providers and vendors.
5. Participation includes actionable insights. When problems are found, Censinet automatically generates a Corrective Action Plan (CAP) that give all parties next steps to move forward.
6. It elevates risk awareness. Perhaps most exciting is when all is said and done, assessments can provide a complete risk picture across all departments that touch patient care and safety.

Photo credit: Aoodstocker, Adobe Stock