3rd Party Risk Management,
Governance & Risk Management,
Healthcare
Study: Monitoring Vendor Risk Remains Much Harder Than Onboarding Third Parties
Recent findings indicate that healthcare organizations are increasingly adept at vetting third-party vendors, including those supplying medical devices, software, and various services. However, a significant gap remains once these vendors are onboarded; many healthcare firms face ongoing challenges in monitoring their security posture and ensuring vendors fulfill their commitments. This is the primary takeaway from a new study conducted by KLAS, a research firm specializing in healthcare.
On June 1, KLAS released a comprehensive report based on in-depth interviews with 44 organizations from various sectors of healthcare, ranging from extensive health systems to standalone clinics and hospitals. The study aimed to shed light on the pressing third-party risks that these organizations grapple with and how they navigate these complex challenges.
Previously, a KLAS report in collaboration with Ernst & Young had found a disconcerting statistic: three out of four healthcare organizations had encountered a vendor-related data breach within the last two years. This alarming trend prompted KLAS to delve deeper into the nuances of third-party risk management in the healthcare sector.
Of those 44 organizations surveyed, approximately 67%—28 firms—indicated their reliance on third-party risk management tools sourced from external vendors to navigate their vendor-related risks. In contrast, around a third of the organizations opted to manage these risks independently. Nonetheless, regardless of their methods, KLAS found that a large number of healthcare organizations focused their efforts on the initial vetting process, often neglecting the ongoing oversight necessary for effective vendor management.
KLAS noted that “While a vendor may appear acceptable during initial evaluation and onboarding, risk can emerge later due to control drift, product changes, poor follow-through, or business disruption.” The report highlighted that the ramifications of inadequate lifecycle oversight extend beyond mere administrative inefficiency; they can adversely affect continuity, accountability, and confidence in essential systems supporting patient care.
The report further revealed that most surveyed organizations lacked “reliable, repeatable processes for ongoing oversight.” Critical tasks such as follow-ups, re-evaluations, monitoring significant changes, and enforcing remediation measures are often difficult to maintain consistently. Therefore, organizations find themselves trying to develop necessary capabilities to sustain trust throughout the vendor lifecycle—from approval and implementation to expansion and renewal.
Even when healthcare organizations employ tools designed to support third-party risk management, obstacles persist. These include resource constraints such as limited staffing and budget allocations, as well as difficulties in scaling vendor coordination. KLAS articulated this situation, stating, “The biggest theme is that healthcare organizations have gotten better at front-end vendor intake and approval, but ongoing oversight is still hard.” Jaren Day, a group director at KLAS, pointed out that organizations are particularly struggling with vendor access management, enforcing cybersecurity requirements in contracts, and dealing with high-risk vendors that offer few alternatives.
Adding to these challenges, Steven Adler, a partner at The Edmund Group and a former risk management executive at health insurer Humana, outlined four fundamental obstacles healthcare organizations encounter in managing third-party risks. First, he pointed to the lack of executive support. Often, third-party risk management (TPRM) initiatives are relegated to lower levels within an organization, missing vital sponsorship and funding from leadership. This disconnection can lead to poorly managed vendor oversight from a distributed model, further complicating the situation.
Secondly, Adler highlighted the “non-traceability” of protected health information handling by third parties. At the onboarding stage, patient data is frequently not meta-tagged, rendering it challenging to trace when incidents arise. This lack of oversight means that organizations, including covered entities and business associates, may lose accountability regarding patient data.
A third challenge involves the absence of a structured vendor risk tiering model. Organizations with large vendor portfolios often lack systematic criteria for prioritizing vendors based on various metrics. “Not all vendors are created equal,” Adler explained, advocating for a framework supporting appropriate vendor risk tiering.
Lastly, Adler noted the inconsistency in enforcing “target hardening controls,” such as data loss prevention, multifactor authentication, and encryption protocols, which are crucial for maintaining security.
While large healthcare organizations grapple with vendor oversight, the issues are often exacerbated among smaller healthcare providers, which make up the majority of U.S. healthcare entities, according to regulatory attorney Paul Hales of the Hales Law Group. He stated, “Ninety percent of healthcare organizations are classified by the government as small businesses.” These smaller entities are particularly vulnerable and often serve as indirect access points for cybercriminals targeting larger organizations due to the interconnected structure of healthcare delivery.
Despite these challenges, it remains the obligation of senior management and boards of directors across all healthcare organizations to ensure robust information security, including responding to breaches resulting from third-party vendor incidents. As Hales emphasizes, “Sound business and ethical standards necessitate close attention to these matters, especially with the ever-increasing threat posed by cybercriminals.”