Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Cybersecurity in Healthcare: Why Healthcare Providers Need to Vet Outsourced Vendors

5 min read
Featured Image

As healthcare organizations outsource more products and services from various business associates and third-party vendors, it’s necessary to understand the different types of vendors and ways to identify and mitigate the cybersecurity risks that each vendor presents to your organization. Before you can introduce a product or service into your organization, you need to properly vet your vendors and ensure that their security posture meets your risk tolerance.

Outsourced Vendor Types and Cybersecurity Risk

Recent news of cyberattacks has highlighted the importance of vetting and monitoring your vendors’ security posture, or risk becoming the victim of a third-party data breach. For healthcare organizations, maintaining patient privacy is key.

However, when you trust your vendors to protect your sensitive data, you expose your organization to severe risks. The fact of the matter is that you don’t have control over your vendor’s security controls, so before you purchase a service or integrate a product into your organization, you need to perform a thorough vetting process to ensure that your vendor can defend your information.

Let’s look at the different types of vendors you outsource to and why the vetting process is so important:

Third Parties: As healthcare organizations continue to rely on third parties for key products and services, the vetting process is a must. You need to have a full picture of what your vendor’s controls are and how they will handle your information. How and why is your data accessed? Who will have access? These are all important questions to consider when vetting your third party’s security controls.

Managed Service Providers: When outsourcing products and services, many healthcare organizations turn to Managed Service Providers (MSPs), which are hired to perform a type of managed service on behalf of the organization. A few examples of MSPs include cloud service providers, patient portals, and laboratory or medical testing.

Fourth Parties: When dealing with your supply chain, you need to also consider your vendor’s vendors, also called fourth parties. It’s important to understand that your fourth parties may provide essential services for your vendors, which affects your organization as well. In certain cases, your fourth parties may even have contact with or access to your sensitive data, so they need to be held accountable and properly vetted for their security posture and compliance. For example, if PHI is involved, fourth parties are held accountable to HIPAA regulations.

Offshore Vendors: Offshore third parties include any vendors whose main operations or a branch of their operations are not located on U.S. soil. Depending on where the offshore provider is located, there may be additional risk in the relationship. Attackers are more active in certain countries, so it’s important to know at which offshore locations a vendor will maintain operations that access, transmit, or store your patient data. If it’s in a location heavily targeted by attackers, extra security controls will need to be implemented.

Independent Contractors: Independent contractors provide specific services or deliverables to your organization and can pose security risks when working remotely or without the proper security measures in place. In these instances, your organization may require the contractor to perform their work on a Virtual Desktop Infrastructure (VDI). A VDI ensures that all work performed is done on your network and stays on your network. However, these outsourced vendors need to undergo vendor vetting as well to ensure they maintain proper security controls for your independent contractors.

cybersecurity in healthcare outsourcing

6 Key Areas of Security and Data Protection When Vetting a Vendor

Outsourced vendors can be key to the success of your organization and to the quality of care you provide your patients. However, a lack of security controls can present great risks to your organization, which you can identify during the vetting process.

Here are several key areas of security and data protection that need to be addressed when vetting an outsourced vendor:

  1. Proof of controls
    When assessing your vendor, you need to look at what controls the vendor has in place to protect your data. Request proof of their security posture in the form of security certifications, independent audits, or completion of a vendor vetting questionnaire. It’s important to understand that you and your vendors have a shared responsibility when it comes to security and data protection. You will need to know exactly what your responsibilities are and that your information security team can fulfill these responsibilities. If your team has limited resources and expertise, you may want to consider outsourcing control assessments to industry experts, which will ensure that the proof of controls is verified and accurate.
  2. Regulations and Compliance
    Verify that your vendors comply with the necessary regulations. Depending on the products or services, this may mean checking for compliance such as HIPAA, PCI DSS, or GDPR for EU patients. You should also add in provisions to vet any fourth parties, including subcontractors, who handle or access your sensitive data, as they’ll need to comply with regulations as well.
  3. Remote Access to Network
    Your organization needs to verify how and why your vendors access and use your sensitive data. For third parties with remote access, the proper controls need to be implemented to ensure security. These controls include VPNs, multifactor authentication tools, VDIs, and a zero-trust model.
  4. User Access to Applications or Devices
    What controls limit which employees and staff members have access to your organization’s data? Verify what user access controls are applied to the vendor’s applications and devices, such as whether they include multifactor authentication (MFA) and if a Zero Trust model is implemented.
  5. Security Training and Awareness
    Ensure that your vendors effectively educate their staff on security awareness and best practices. This education should include phishing training to help staff identify and report any suspicious activity as well as best practice training multifactor authentication apps.
  6. Backup and Recovery
    Your vendors need to provide full disclosure as to how your PHI and other sensitive data will be backed up and what encryption methods are used for backing up that data. You should confirm that the vendor performs regular recovery testing, to ensure that your data can be recovered from a backup source, and that backup locations comply with regulations such as GDPR.

Vetting your vendors is essential to identifying and managing cybersecurity risks that threaten your organization and your patients. Your team should work to gain as much transparency into your vendors’ security practices as possible before signing a contract and exposing your sensitive information to potential threats.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo