Building an Effective Vendor Risk Management Program

By Dawn Morgenstern and Katie Sullivan

Late last month, news broke of a ransomware attack on an EHR provider that impacted a NY-based home health chain Personal Touch Home Care. The attack is one of many recent cyber incidents involving vendors that provide crucial services to healthcare organizations.

In a Healthcare Info Security story reviewing the Personal Touch incident, company Vice President Laura Dechen made the following comment:

“If anything can be gleaned from this, it’s to quadruple-check everything …. and understand all the risks vendors pose.”

Indeed, healthcare providers are at increasing risk of intentional and unintentional cybersecurity compromises by vendors that access, transmit, store, or maintain their critical data. The latest Ponemon Institute study indicates that 56% of providers have had one more vendor-related data breach over the last two years.

Risk is compounded by the increasing amounts of outsourced data, expanding use of the cloud, the growing number of service providers, the escalating threat landscape, and rising severity of regulatory fines at the state and federal level.

Current approaches to assessing and managing vendor risk are failing for numerous reasons:

  • The lack of automation and reliance upon manual risk management processes makes it difficult to keep pace with cyber threats and the increase in digital applications and medical devices used in the industry
  • Vendor risk assessments are time-consuming and costly so few organizations are conducting risk assessment of all their vendors which number nearly 600 on average
  • Vendor management processes are decentralized with efforts being managed in silos across the organization
  • Critical vendor management controls and processes are often only partially deployed or not deployed at all

We offer insight on how to advance your vendor risk management efforts drawing on Clearwater’s experience assisting healthcare organizations with building strong programs.

Step 1: Assess and Classify

The first step in building an effective vendor risk management program is conducting a methodical assessment of your vendors and subcontractors that have access to protected data, classifying the risk associated with each of them based on a range of factors:

  • Type of service being provided
  • Access to internal data involved in providing the service
  • Nature of data set involved (client confidential, private data, financial transactions, identifiers, passwords, etc.)
  • Data and information security expectations (related to nature of data)
  • Location where services are provided from or where the firm is headquartered. Some jurisdictions have looser regulations, a noted tendency to corruption in the market, opaque business practices or a lack of enforcement of good corporate governance.
  • The strategic importance of the vendor to business or service proposition

The initial classification during the assessment process will typically determine the degree of ongoing due diligence and monitoring within the program. Higher risk classifications may also initiate a deep dive assessment of the vendor.

Step 2: Address Governance, Process, and Technology

The next step in building your vendor risk management program is to implement necessary governance, process, and technology changes. Three areas are vital:

  • Defining policies and procedures for monitoring vendors
  • Consolidating existing internal vendor profile data and contracts into a single data repository
  • Closing critical vendor data gaps

At a minimum, policies and procedures need to include the following:

  • Roles and responsibilities
  • Risk assessment process
  • Due diligence in selecting a vendor
  • Ongoing monitoring
  • Vendor onboarding
  • Vendor termination
  • Oversight and escalation

One of the principal challenges to more effectively managing vendor risk is the probable dispersion of vendor data across the organization. This is exacerbated if there are multiple divisions and departments and if they are stored in multiple data repositories. For effective program management, these sources all need to be assembled into a single integrated operating platform to enable management of the program effectively. A good platform can also help you gather missing vendor data efficiently.

Step 3: Actively Monitor and Manage Your Vendors

Once the program has been setup, the challenge shifts to the monitoring of your vendors. These activities include the ongoing due diligence of existing vendors, the on-boarding and termination of vendors, and reporting and oversight.

Due diligence requires deeper dives into areas of risk such as IT security, financial stability, etc. This is accomplished through multiple activities including the use of in-depth questionnaires, the screening of vendors against external databases such as World-Check, Dun and Bradstreet for financial standing, and the scheduling and documenting of activities such as on-site visits, phone interviews and so forth.

It is estimated that 90% of the risk management team’s time will be spent on activities focused on existing vendors. This on-going due diligence is essential to the success of the program and an area where automation can make a significant contribution. Any vendors who are classified as high risk must be monitored more closely and an automated system allows you to do this efficiently.

Once the ongoing due diligence program is active, start to look at specific tasks such as certifications and attestations to ensure your policies are being followed through by all parties.

Implementing procedures to ensure that the correct vendors are onboarded is critical. They need to be implemented consistently across the organization and this consistency is key to the long-term evolution of the program.

Termination of the relationship with a vendor is also very important and often a focus for regulators. Organizations should have processes in place to identify when and how vendors should be terminated and to ensure completion of the procedures associated with the proper termination of the relationship. Again, to ensure consistency, these processes should be automated across the organization.

An automated solution can also enable organizations to quickly see the risk classifications of their vendors, the risk assessment and due diligence activities that are upcoming and past due. The ability to conduct analysis on the risks presented by vendors and delve into the source of the risks through visual tools such as matrices is key. Other analytical reports that show changes in risk profile over time are also very helpful.

For further insight, we invite you to review the Clearwater on-demand webinar “You are Only as Secure as Your Riskiest Vendor” and to reach out to us with your questions and concerns at


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us