BLOG

Effective third-party risk management (TPRM) begins with maintaining an updated vendor inventory and conducting assessments for a prioritized subset of vendors who pose the greatest risk to your organization. Technology and automation play a critical role in your program’s ability to deliver assessments and high-quality risk intelligence to the business in a timely fashion. Applying the right technology in the right places in your vendor risk workflow can also save valuable time and money that would otherwise be spent on costly manual processes and systems. Read More

Security breaches from third-party Business Associates and related regulatory penalties are piling up for healthcare entities this year. In a joint presentation with CORL in June 2020, the US Office for Civil Rights (OCR) reported that a top source of civil monetary penalties for Covered Entities in 2019 was inadequate management and compliance for third-party Business Associates. Despite the mounting financial penalties and breach costs resulting from third-party breaches, too many healthcare entities continue to gamble with underinvestment in their third-party vendor risk and compliance programs. Read More

The National Institute of Standards and Technology (NIST) has announced an updated version of their flagship security controls framework NIST Special Publication (SP) 800-53. The new version, Revision 5 or “Rev 5”, update is the first overhaul of the NIST SP 800-53 framework in over seven years and represents critical updates that reflect the modern cyber threat landscape. A major addition in this revision includes an entire security controls “family” dedicated to Supply Chain Risk Management (SR). This blog post will help provide some insight into the new controls framework version, its differences from prior iterations and other related standards, and its applicability for third-party risk management programs. Read More

In May 2020, while the healthcare industry grappled with the outbreak of a global pandemic, the US Department of Health and Human Services (HHS) quietly issued a Final Rule that has major implications for the secure electronic delivery of health information to patients via third party platforms and apps. Increased interoperability between systems has many potential benefits for patients, but it also introduces a larger technology footprint for sensitive patient information including Protected Health Information (PHI). Read More

Information security leaders and vendor risk management teams have struggled to update their reporting models to keep pace with the increasing variety and complexity of risks introduced by the modern business supply chain. The inability to effectively communicate meaningful vendor risk metrics that drive informed decisions from the business has become the Achilles heel for many third-party risk management programs.  Read More