Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Healthcare Third Parties: What Needs to Be Assessed

5 min read
Featured Image

Healthcare organizations must decide what to assess when reviewing a third party's risk posture. A security certification may provide sufficient visibility for some organizations, while others may require a questionnaire or due diligence documentation. Depending on the third party and the organization, there may be a variety of assessment options to consider.

Given these options, how do you know what your organization should evaluate? Let's examine what insights the different options provide and how your organization can benefit from them.

Using Security Assurances to Assess Vendors

Your healthcare organization may decide to accept a vendor's security assurance for review as an alternative to requesting a vendor risk questionnaire. Security assurances provide a quick way to understand your vendor's security posture if it has been authored by an independent and qualified source. Vendors are only certified when an independent third party reviews their security framework and determines their maturity level warrants certification.

Several types of security assurances are available to your organization. Your vendor must provide you with a full report or certificate of certification for each assurance.

Different security assurances include:

  • HITRUST Certifications (including the r2 Certification) verify that a third party meets HITRUST Cybersecurity Framework (CSF) requirements. A vendor that meets compliance regulations, such as Health Insurance Portability and Accountability Act (HIPAA) and has a strong security posture may qualify for this accreditation.
  • ISO 27001: 2013 is used to demonstrate a vendor's compliance with information security management programs. ISO 27001 isn't specific to healthcare, so it doesn't guarantee that a vendor is HIPAA compliant or adheres to HICP (Healthcare Industry Cybersecurity Practices.) However, it can be used to evaluate the security posture of vendors who are not business associates and do not access, transmit, or store protected health information (PHI) for your organization.
  • SOC 2 reports are the most common audit reports used to assess a vendor's security posture. A SOC 2 report is specific to information security and can assess any combination of the 5 Trust Services Criteria – security, availability, processing integrity, confidentiality, and privacy. Most healthcare organizations require a vendor to provide a SOC 2 report that, at a minimum, covers three of the Trust Services Criteria to ensure the vendor has a solid security posture that covers compliance regulations such as HIPAA and General Data Protection Regulation (GDPR ).

Since ISO certifications and SOC 2 reports aren't healthcare-specific, vendors handling PHI or PCI data may have to provide compliance reports. HIPAA Compliance Reports and PCI DSS Reports, such as the Attestation of Compliance (AoC) or Report on Compliance (RoC), provided by a PCI Qualified Security Assessor (QSA), are often included as additional documentation.

assessing healthcare third parties

Using Questionnaires to Assess Vendors

If a third party doesn't have security assurances or your organization doesn't accept them, healthcare organizations can also conduct a third-party risk assessment. Using a questionnaire, you can evaluate cybersecurity and information security control frameworks. The controls in these frameworks are the basis for the vendor questionnaire.

When creating the basis for your questionnaire, you should look at standard cybersecurity frameworks such as:
  • HITRUST Cybersecurity Framework (CSF) which is a healthcare-specific security framework to be used by HITRUST qualified organizations and HITRUST qualified individuals. Whether you can use the HITRUST framework as the basis of your questionnaire depends on your organization's affiliation with HITRUST.
  • National Institute of Standards and Technology (NIST) as it can be used to group technical controls into one of the framework's five functions – identify, protect, detect, respond, and recover – and to better understand a vendor's security posture in general security terms. NIST CSF-based questionnaires may not provide detailed insight into a vendor's security practices relating to privacy, supply chain, or those required by HIPAA, PCI DSS, or GDPR.
  • NIST 800-53 rev 5 which is the only set of security controls that can provide full visibility into a vendor's security posture and includes a comprehensive collection of security and privacy controls. There are also three new control families included in revision 5 that are not included in NIST CSF or HITRUST CSF: privacy risk management, supply chain protections, and cybersecurity program management.
  • CIS Critical Security Controls v8 as it provides a good way to see if security hygiene basics are in place when assessing a vendor and can be used as an alternative to other frameworks that may be too detailed. Suppose you’re evaluating vendors who are not business associates (with access to sensitive data), but still must demonstrate acceptable security measures. In that case, the CIS Controls can be used.

Depending on your organization’s needs and your vendors, there may be a single questionnaire used for all risk assessments. If several questionnaires are created, each can be based on different frameworks.

Due Diligence Documentation to Verify Vendor Controls

In addition to having your vendor complete a questionnaire, you may want to request due diligence documentation to verify that certain controls are in place. When performing due diligence, your organization should request policies and procedures. These might include independent penetration testing reports, the vendor's use of multifactor authentication (MFA) tools, and employee security awareness training. Your organization should also ask for financial reports to confirm the vendor's financial health, ESG policies, and proof of cybersecurity insurance.

Vendor risk assessments may require your organization to review additional policies and procedures that go beyond information security. Due diligence is key to gaining visibility into the risk that your vendor may present to your organization.

Sample due diligence documents include:
  • Independent penetration tests (both internal and external systems)
  • Multifactor authentication (MFA) requirements
  • Employee security awareness training
  • Business continuity/disaster recovery/resiliency policies and plans
  • Financial reports (including SOC 1 audit reports)
  • ESG policy
  • Cybersecurity insurance

Knowing what to assess during a third-party risk assessment is key to gaining insight into your vendor's security posture and taking the first step to mitigate the risks to your healthcare organization's security. A thorough assessment of the vendor's security assurances, questionnaire, or due diligence documentation is essential for identifying possible risks and understanding its controls.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo