TPRM

Healthcare Vendor Risk Management (VRM) FAQs

By CORL Technologies | November 30, 2021

What is third-party risk and why is it important for healthcare entities?

Healthcare organizations have become increasingly dependent on third-party vendors in the supply chain to deliver mission-critical operational and support services. However, the volume and magnitude of cyber breaches of supply chain vendors has healthcare organizations struggling to stay ahead of the next vendor breach. Current models for issuing and reviewing vendor questionnaire assessments are not able to scale to keep pace with mounting vendor risk exposures.

Healthcare has moved a majority of our critical IT systems to third-party and cloud hosted vendors as part of the ongoing digitization of healthcare. However, the problem with this is that we have become dependent on these third-party vendors to deliver critical patient care, treatment, and operations.

When a vendor has an outage due to ransomware or some other cybersecurity breach, the healthcare organization feels the pain. And that pain is now much more than the threat of regulatory non-compliance with HIPAA due to lost or stolen data; the breaches are now impacting the ability for healthcare organizations to operate and are threatening patient safety.

Refer to the following resources for additional guidance on this topic of third-party risk management:

• Partner Perspective: Health Systems Need New Approach to Managing Threat Posed by Third-Party Vendors
• Webinar Replay: Weakest Links in the Supply Chain | Healthcare Vendor Breach Review

---

How does healthcare compare to other industries for third-party risk management?

Cyberattacks on healthcare’s supply chain have been growing exponentially in the last several years. These attacks had introduced substantial social and political implications. In 2021 alone, the industry experienced massive supply chain breaches including SolarWinds, Kaseya, Microsoft Exchange and others. These large-scale attacks create a scenario where a single vendor breach can impact thousands of organizations in one fell swoop.

Healthcare has been hit the hardest of all industry segments at a time when we need to be firing on all cylinders to address and recover from a global pandemic. A recent report from the Identity Theft Research Center [1] cites healthcare as the industry sector with the highest volume of breach events in the past two years. The report also notes a 42 percent rise in the number of supply chain attacks.

Healthcare vendor risk management programs and processes are relatively immature when compared with other industries such as financial services. In an effort to catch up, the healthcare industry is rapidly moving to adopt innovative solutions including vendor risk management (VRM) technology, workflow automation, managed services, and vendor assessment clearinghouses and exchanges like CORL Technologies.

Refer to the following resources for additional guidance on this topic of healthcare vendor risk management:

• Healthcare Takes It on the Chin with Supply Chain Breaches
• Webinar Replay: Data is King | The Power of Vendor Risk Data & Analytics

---

What are the most common security frameworks and standards used for healthcare vendor risk management (VRM) assessments?

There are a wide variety of vendor questionnaire formats and versions for third-party risk management assessments. Most vendor questionnaire assessments leverage one or more industry standards and frameworks. Some of the most commonly adopted standards used for vendor questionnaire templates for healthcare entities include:

• NIST SP 800-53 (Rev 4 and Rev 5)
• NIST Special Publication 800-171
• HITRUST Common Security Framework (CSF)
• Standard Information Gathering (SIG) Lite
• Center for Information Security (CIS) Critical Security Controls

Refer to the following resources for additional guidance on this topic of healthcare vendor risk management frameworks:

• CORL Releases New NIST 800-53 Rev 5 Vendor Questionnaire
• NIST SP 800-53 Rev 5: New Supply Chain Control Requirements

---

Do vendors and business associates need to be included in security risk assessments?

Yes. Vendors and third-party platforms that store or manage Protected Health Information (PHI) and other sensitive data on behalf of the organization should be routinely evaluated from a security risk perspective. This is often achieved as an ongoing business function aligned with the procurement and oversight of vendors. Vendor risk management (VRM) assessments may include a combination of vendor questionnaire assessments, onsite audits, and evidence collection and validation of implemented security controls. Security risk assessments should include an evaluation of the scope and effectiveness of vendor security risk management processes for the healthcare entity.

Refer to the following resource for additional guidance on this topic of third-party vendor risk management compliance obligations:

• Healthcare Security Risk Assessment & HIPAA Security Risk Analysis FAQs

---

Does HIPAA mandate that vendors and business associates need to perform security risk assessments?

Yes. Business associates that store or manage PHI are required to comply with the HIPAA Security Rule, including the HIPAA Risk Analysis and Risk Management requirements. Vendors should routinely assess their own enterprise security risks as well as the security posture of their supply chain (i.e. fourth-party entities to your organization). As part of standard vendor risk management (VRM) programs, many organizations also require their third-party vendors to conduct routine penetration tests and report back the results to verify that technical security gaps are identified and remediated in a timely fashion.

Refer to the following resource for additional guidance on this topic of vendor risk management HIPAA requirements:

• Healthcare Security Risk Assessment & HIPAA Security Risk Analysis FAQs

---

Which risk management tools are most commonly deployed to support healthcare vendor risk management (VRM) programs?

There are multiple types of vendor risk management tools available on the market today that can play a role in supporting healthcare vendor risk management (VRM) programs. These commonly include Governance Risk and Compliance (GRC) platforms, vendor questionnaire automation tools, digital workflow management tools, data visualization tools, cyber risk scoring solutions, vendor risk assessment exchanges, and more. These offerings are not mutually exclusive and many of the capabilities compliment and support one another.

Some examples of ways in which technology can be applied to healthcare vendor risk management (VRM) programs include:

• Facilitating efficient exchange of assessment data and supporting evidence (e.g. via automated vendor questionnaire technology)
• Automated risk scoring, vendor tiering, and decision support
• Risk findings tracking and remediation capabilities (e.g. risk registers)
• Workflow automation
• Automated exchange and reuse of vendor risk data and assessments already conducted for your peers in the industry
• Integration with your other risk management programs and systems outside VRM (e.g. GRC solutions)
• Reporting and data visualization

CORL has developed an innovative tech-enabled managed service for vendor risk management (VRM) that provides a combination of tools, processes, and managed service support to optimize VRM programs from end-to-end.

CORL conducts validated vendor risk assessments and follows through with vendors until they remediate known critical gaps. We also have a healthcare vendor risk clearinghouse platform that maps vendor assessment responses to the specific questions and criteria that each healthcare entity wants to see. Our solution saves time for the vendor to avoid answering the same questions over and over again and allows healthcare organizations to almost instantly clear their vendors for security purposes.

Refer to the following resources for additional guidance on this topic of vendor risk management tools:

• Selecting the Right Technology for Your Third-Party Risk Management Program
• The Power of Existing Data for Vendor Risk Assessments
• Orchestrating a Vendor Risk Management Symphony
• CORL’s Vendor Risk Management (VRM) Solution Gets Results

---

What are the leading practices for high-performing vendor risk management (VRM) programs?

High-performing vendor risk management programs typically include a combination of the following activities:

• Investing in the third-party vendor risk management program, leadership, and team
• Updating vendor inventories and tiering vendors for prioritization based on criticality, impact, and compliance exposure
• Prioritizing vendors for assessment and remediation
• Reporting on vendor risk across the entire vendor portfolio
• Driving and tracking remediation activity from the vendor over time
• Validating controls and gaining assurance via assessment and audit rigor (including vendor risk assessments and industry-standard security certifications)
• Tracking key performance indicators (KPIs), key risk indicators (KRIs), and service level agreements (SLA) metrics on VRM program performance
• Incorporating vendors into incident response simulation exercises
• Preparing and practicing a communication plan to customers for supply chain incidents
• Monitoring and complying with emerging supply chain regulations and standards
• Automating third-party risk management processes

CORL’s customer base leverages the following best practices developed from our experience managing and delivering hundreds of VRM programs:

Data Reuse and VRM Assessment Exchange

• CORL has already assessed over 80,000 healthcare vendors
• Assessment data reuse delivers rapid assessment turnarounds
• Validated vendor risk assessment data provides risk results that you can trust without further follow up with vendors

Automation

• CORL’s vendor portal and automated workflow accelerate assessment data collection, analysis, and reporting
• Automation allows CORL to scale assessments to cover your full vendor portfolio

Workflow & Process

• CORL’s inherent risk intelligence for vendor types, tiering and prioritization, and remediation follow up accelerate vendor risk management cycles

Technology Integration

• CORL integrates with technology solutions including GRC platforms, scorecards, and other solutions to get the right information in the right format to drive quick risk decisions

Managed Services

• CORL’s elite team of specialized vendor risk management (VRM) professionals get results in rapidly assessing vendors and driving them to remediate known risks
• CORL delivers best practices for vendor risk management that are optimized for speed and efficiency

Refer to the following resources for additional guidance on this topic of leading practices for vendor risk management programs:

• Partner Perspective: Health Systems Need New Approach to Managing Threat Posed by Third-Party Vendors
• Webinar Replay: Data is King | The Power of Vendor Risk Data & Analytics
• Infographic: The Need for Speed in Vendor Risk Assessments

---

How do healthcare organizations drive and track remediation for vendor security risks?

Collecting vendor risk data and information is only one part of the healthcare vendor risk management (VRM) equation. Ultimately, organizations must drive third-party vendors to remediate the issues identified in risk assessments. Otherwise, third-party risk management teams end up just pushing paper around at the end of the day via vendor questionnaire processes while risk exposures remain unresolved.

It is important to prioritize which areas require vendors to commit to remediation and identify specific timeframes for that remediation to occur. For example, it may not be feasible or reasonable to require vendors to have high maturity ratings in every single NIST 800-53 control, as there are hundreds of controls in that framework. Some organizations review a subset of critical controls such as the vendor’s vulnerability management and patching program, their penetration testing results, and their incident response plans. These critical control areas can serve as leading indicators of the vendor’s cybersecurity program maturity. These are also the areas that can help combat ransomware and other prominent cybersecurity threats.

CORL’s VRM technology and processes allow us to maintain accountability for vendors by following up to make sure they meet their commitments for remediation. The advantage of our position is that vendors can’t shrug us off very easily. We keep coming back to them over and over again on behalf of dozens of their customers. We use our scale to create leverage and compel vendors to reduce risk measurably. We meticulously track and hound vendors to report back on remediation commitments to hold vendors accountable for risk mitigation.

Refer to the following resource for additional guidance on this topic of leading practices for tracking vendor remediation for healthcare vendor risk management programs:

• Finishing the Job: The Importance of Validation & Remediation in VRM

---

How can I find out which healthcare vendors have been breached recently?

CORL releases a recurring blog that highlights healthcare vendors that have been breached. The recurring blog is called Keeping Up with CORL: Vendor Breach Digest and is available on CORL’s Blog Page and CORL’s Resource Center.

Refer to the following resources for additional guidance on this topic of healthcare vendor breaches:

• Webinar Replay: Weakest Links in the Supply Chain | Healthcare Vendor Breach Review
• Keep Up with CORL: Vendor Breach Digest
• CyberPHIx Healthcare Cybersecurity Podcast

---

Who is typically accountable for vendor risk management within and outside of healthcare organizations?

Vendor risk management is a shared responsibility that requires accountability and coordination across multiple organizations including businesses, third- and fourth-party vendors, regulators, and others. Here is CORL’s take on the relative accountability, in priority order from most accountable to least accountable entities:

1.  The Business | The business whose systems and information were breached ultimately must live with the repercussions of the incident including business disruption, financial impacts, reputational damage, loss of customer trust, and more. The buck stops with the business. Finger pointing and blame do very little to mitigate the material impacts to the business following large-scale third-party vendor breaches. Customers are also most likely to hold the brand of the business accountable for breaches rather than take the time to understand the nuances of a complicated supply chain sourced breach event.

Executives must invest in robust security and compliance programs that go above and beyond minimal regulatory obligations and actively manage cyber risks for the enterprise. This includes hiring information security leadership and teams, compliance teams, and routinely assessing validating the effectiveness of cyber risk programs. Such investments must also include third-party risk management programs that scale to evaluate and manage risk across the full vendor portfolio.

2.  Third-Party Vendors (a.k.a Supply Chain Vendors) | Third-party organizations have an obligation to safeguard the products and services they deliver to the marketplace. If you have established a B2B business that services multiple businesses that depend upon your services or products to operate, then you inherently have assumed the responsibility to understand and manage cyber risks on their behalf.

Supply chain vendors must proactively build cyber and risk management programs and validate their effectiveness on a routine basis via assessments, security certifications, penetration tests, and other security control implementations. An erosion of trust in cyber risk can ultimately lead to an erosion of trust with your business overall in the market.

3.  Government Entities | Governments have an obligation to intervene in cases where state-sponsored or supported attacks attack critical infrastructure that may impact national security or the stability of major economic markets. Such intervention may include diplomatic pressure, sanctions, and even counter attacks in the event that attacks remain unchecked over time.

Governments also have a powerful lever at their disposal in the form of regulations. Regulatory requirements and related enforcement can go a long way to inducing proactive and preventative security control measures by organizations to secure their systems and those of their third-party suppliers. There are a flurry of regulations being cooked up to address supply chain risk; you can learn more about these in our related blog post: Regs on the Radar: Emerging Supply Chain Regulations & Standards.

4.  Standards Bodies | Organizations that provide standards and guidance for the industry to effectively manage supply chain risks play an important role in getting everyone on the same page and driving the implementation of leading practices. Organizations like the National Institute of Standards and Technology (NIST), the HITRUST Alliance, US Cyber Security and Infrastructure Security Agency (CISA), and others have updated their frameworks and guidance to include third-party vendor risk management.

5.  Customers | It may sound like a bold claim, but customers are becoming increasingly aware of cyber risks and will apply purchasing pressures on businesses to safeguard their information. Businesses that cannot consistently maintain operations or safeguard information are likely to see their customers pursue alternative options from competing organizations.

Refer to the following resources for additional guidance on this topic of accountability for healthcare vendor risk management programs:

• Who is Accountable for Supply Chain Risk?
• Podcast: Who is Responsible for Securing the Supply Chain? Managing Liability for Supply Chain Attacks

---

What regulations and standards are applicable for healthcare vendor risk management (VRM)?

The regulatory and standards space around third-party vendor risk management (VRM) is evolving rapidly. Here are some examples of regulations and standards applicable for VRM programs:

• US Executive Orders: Executive Order on America’s Supply Chains and Improving the Nation’s Cybersecurity – introduced by President Biden to increase resiliency in US supply chains, including mitigating foreign cyber-attacks
• Homeland Security Cybersecurity Bills: of 13 Homeland Security bills passed in July 2021, 3 focused on bolstering the cybersecurity of state and local government networks in response to ransomware and other cyber attacks
• President Biden’s 2021 Budget for Cybersecurity: increased budget over 2020 includes $1.2B more for Civilian department and $750M for SolarWinds attach response
• Bipartisan Data Privacy Bill (Draft): bipartisan bill drafted to reintroduce the Social Media Privacy Protection and Consumer Rights Act, forcing tech companies to grant users greater control over their data
• GDPR Directive on Supply Chain Risk: building on GDPR’s initial focus on data protection, recent expansion put accountability on companies to ensure that their full supply chain is GDPR compliant
• UN Cybersecurity Rules, Norms, and Principles for Responsible State Behavior: guidance by the UN to Member States on cybersecurity and threats in the context of international security
• NIST 800-53 Rev 5: a new Supply Chain Risk Management (SCRM) control family integrates vendor risk management aspects throughout the other control families to help protect system components, products, and services that are part of critical systems and infrastructures
• CISA: the US Cyber Security and Infrastructure Security Agency (CISA) released a report that provides guidance for addressing third-party vendor risk management. The report is titled Defending Against Software Supply Chain Attacks and provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Security Chain Supply Chain Risk Management Framework, or C-SCRM and the Secure Software Development Framework (SSDF) to identify, assess and mitigate software supply chain risks

Refer to the following resources for additional guidance on this topic of regulations and standards for vendor risk management (VRM) programs:

• Infographic: Supply Chain Rocks! New Bills and Regulations Emerge
• Regs on the Radar: Emerging Supply Chain Regulations & Standards
• Defending Against Software Supply Chain Attacks, CISA and the National Institute of Standards and Technology (NIST)
• America’s Supply Chains: A Presidential Document by the Executive Office of the President
• Improving the Nation’s Cybersecurity: A Presidential Document by the Executive Office of the President

---

What legal exposures do healthcare entities have related to their vendor risk management programs and what are legal best practices for third-party vendor risk management programs?

Refer to the previous question for details of new regulations around vendor risk management.

The Office for Civil Rights (OCR) has indicated its intended ramping up of focus on cybersecurity issues and non-compliance enforcement. OCR also has authority to take enforcement action against business associates of covered entities for various requirements and prohibitions in the HIPAA Security Rule.

Leading practices for managing legal exposure related to vendor risk management include:

• Update contracts with vendors to include security requirements
• Define specific Service Level Agreements (SLAs) and include in contracts
• Require cyber liability coverage for all vendors
• Define breach notification requirements and communication expectations for breach events
• Require small vendors to carry cyber liability coverage of at least $2M-$5M
• Include right to audit clauses and penalty clauses in contracts
• Implement tracking of vendor compliance with SLAs and conduct routine audits
• Encourage or require vendors to obtain a security certification such as HITRUST, ISO, & SOC 2; set a timeline for certification (e.g., 12-24 months)
• Define an exit strategy: include contract requirements for data destruction and return upon termination
• Encourage or require vendors to provide a third-party penetration test
• Require vendors to notify your organization as remediation items are completed or addressed
• Require proactive reporting if there are any changes in the vendor risk profile including breach events
• Include contract requirements for business continuity and disaster recovery timelines and SLAs
• Identify and require routing reporting of subcontractors and fourth parties that will access to your data
• Maintain an inventory of vendors in scope for regulatory requirements (e.g., identify HIPAA business associates and update BAAs)
• Review merger and acquisition clauses in vendor contracts
• Define confidentiality provisions in vendor contracts
• Maintain vendor contracts in a centralized location

Refer to the following resources for additional guidance on this topic of legal exposures related to healthcare vendor risk management (VRM) programs:

• Infographic: Legal Defense Against the Dark Arts: Battling Supply Chain Breaches
• Healthcare’s Gamble with Business Associate Breach Risks
• Legal Accountability Mounts for Supply Chain Breaches
• Webinar Replay: Proposed Modifications to the HIPAA Privacy Rule | Key Points and Lessons Learned from History
• Podcast: Who is Responsible for Securing the Supply Chain? Managing Liability for Supply Chain Attacks

---

What are best practices for communication with third parties for vendor risk management (VRM) programs?

Leading communication practices for vendor risk management (VRM) programs include:

• Gather implementation and scope details before launching the assessment (what product, who is the business owner, what department, etc.)
• Establish a support model and communication plan for questionnaire clarifications and bi-directional communication
• Set expectations up front with all parties, what is the process, what’s required, how long will it take, etc.
• Educate and gain buy-in from stakeholders before launching assessments
• Have business owners inform vendors up front of the risk team’s role and importance
• Engage business owners in the assessment process from the get-go
• Set realistic timeframes for assessment responses (e.g. 12-15 business days)
• Calibrate your approach based on the vendor’s program maturity (e.g. a phone call vs a 500-point questionnaire for very small vendors)
• Establish escalation points and alternative communication beyond email (e.g. direct phone numbers, chat platforms, etc.)
• Establish secure communication model and tech up front to exchange sensitive information
• Have several assessment types and models (e.g. cloud assessment, med device assessment)
• Establish routine reporting for stakeholders
• Keep business owners in the loop; escalate when necessary
• Establish a mechanism for tracking and responding to vendor feedback and questions about the process
• Create user-friendly documentation and tools that is straightforward to navigate, understand, and process in business terms
• CORL Customers: leverage CORL’s existing relationships with vendors to find the right contact
• Be transparent about constraints
• Establish professional, courteous, and even friendly communication outreach language for vendors

Refer to the following resources for additional guidance on this topic of leading communication practices for vendor risk management (VRM) programs:

• Webinar Replay: We Are the Supply Chain | Managing & Communicating Cyber Risk to Customers
• Everyone Wins | The Case for Collaboration with Vendors

---

What differentiates CORL Technologies from other healthcare vendor risk management (VRM) solutions?

CORL is a leading provider of tech-enabled managed services for vendor risk management and compliance for healthcare organizations. CORL gets results by scaling organizational and vendor risk management programs through our healthcare vendor clearinghouse, dashboard reporting that business owners can understand, and proven workflows that drive the organization to measurable risk reduction.

Here at CORL, we manage third-party risk programs for hundreds of healthcare organizations, and we have learned over the years that the current models for vendor risk assessments cannot scale to meet the challenge we now face to effectively mitigate the risks that vendors pose for us.

We have assessed over 80,000 healthcare vendors and validated their security posture. We have developed technology that allows us to rapidly share and reuse that data across healthcare organizations so we can get away from every single health system assessing every single vendor. This is a burden on both healthcare entities and their vendors.

We have developed a tech-enabled managed service that conducts validated vendor risk assessments and follows through with vendors until they remediate known critical gaps. We also have a healthcare vendor risk clearinghouse platform that maps vendor assessment responses to the specific questions and criteria that each healthcare entity wants to see. Our solution saves time for the vendor to avoid answering the same questions over and over again and allows healthcare organizations to almost instantly clear their vendors for security purposes.

Refer to the following resources for additional guidance on this topic:

• Infographic: The Need for Speed in Vendor Risk Assessments
• CORL’s Vendor Risk Management (VRM) Solution Gets Results
• The Power of Existing Data for Vendor Risk Assessments

---

Which security certifications are most commonly adopted by third-party vendors or required by healthcare entities?

The most commonly adopted security certifications for third-party vendors servicing the healthcare industry include:

• SOC 2 Type II
• HITRUST
• ISO

Refer to the following resources for additional guidance on this topic of healthcare security certifications used to support vendor risk management (VRM) programs:

• Got Certs? The Pros and Cons of Enterprise Security Certifications
• Winds of Change: SOC 2 & Securing the Supply Chain

Contact our team here at CORL to learn more about our managed services and next generation exchange for healthcare vendor risk data that gets results and lowers third-party vendor risks.

---

About the Author