Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Minimizing the Risk of IoMT Device Vendors in Healthcare

6 min read
Featured Image

The Internet of Medical Things (IoMT) is transforming healthcare. More and more people use these devices to monitor their health remotely, but with this explosion of growth comes new risks that can put patient safety in danger. In the past, regulatory policies and legislation regarding data security and privacy slowed the use of IoMT devices in the healthcare industry, but with the COVID-19 pandemic, approvals were fast-tracked to allow IoMT usage.

The increase in remote medical assistance was triggered by overcrowded health facilities and COVID-19 limits on in-person appointments. The genie is out of the bottle, and the use of IoMT devices is rapidly growing. A 2022 EMR report estimates that over $400 billion will be spent on IoMT devices by 2027, up from $177.64 billion in 2021.

What Is Internet of Medical Things in Healthcare

IoMT is a network of connected devices that can exchange and analyze data over the internet, such as sensors, medical equipment, and diagnostic devices. The use of IoMT-enabled devices offers many benefits to patients, their families, doctors, hospitals, and insurance companies. By leveraging IoMT technology, healthcare providers and patients can improve communication, reduce healthcare costs, and deliver remote treatment. 

internet of medical things vendor risk

The Risks Presented to Healthcare When Using IoMT

There are substantial risks associated with IoMT. Healthcare organizations must be aware of the risks and actively work to monitor and mitigate them. Here are some of the risks involved with IoMT: 

  • Cybersecurity risk – The healthcare sector generates more personal data than any other industry. With so much personal information stored and processed, it should be no surprise that hospitals and other healthcare institutions are popular targets for ransomware attacks. In healthcare, cyberattacks can mean life or death.
  • Regulatory risk – It's also now become a regulatory issue. In October 2023, the U.S. Food & Drug Administration’s (FDA) the Consolidated Appropriations Act will take effect. The regulation bans the sale of any IoMT devices that don’t meet cybersecurity requirements. All new IoMT device applicants must have a plan for how they’ll monitor, identify, and address cybersecurity risks. Security updates and patches must have a regular schedule and all software components used in the devices must be disclosed. 
  • Reputational risk – All it takes is one incident with IoMT devices to damage your patients’ trust. Anything from a data breach, an attack on an IoMT device, or even a hefty regulatory fine can leave your healthcare organization’s reputation in shreds. 

Knowing how to minimize the risks involved with all your IoMT devices and vendors can be overwhelming. That's where third-party risk management can help. 

How Third-Party Risk Management Can Help Reduce IoMT Device Risk

Third-party risk management is the practice of identifying, assessing, managing, and monitoring vendor risks. Organizations that implement and execute third-party risk management properly can avoid unnecessary risks stemming from vendor relationships, including those involving medical equipment and devices. 

Following the third-party risk management lifecycle is the best way to systematically identify and manage vendor risks throughout the duration of the vendor relationship. The lifecycle includes:

  • Onboarding: This includes assessing the vendor’s inherent risk and criticality so you can perform risk-based due diligence. Once you select the vendor, you’ll then begin to draft the contract. 
  • Ongoing: This involves re-assessments, periodic due diligence, monitoring risk and performance, and anything else necessary to stay on top of new or emerging vendor risk brought from outsourcing an IoMT device. 
  • Offboarding: This marks the official end of the vendor relationship and termination of the contract. It’s important to follow your exit place and perform any final third-party risk management activities. 

From risk assessments and due diligence to ongoing performance monitoring, the third-party risk management lifecycle will help your healthcare organization perform the right risk management activities at the right time and in the proper order. 

Tip: A third-party risk management software tool can eliminate cumbersome and inaccurate spreadsheets and help you manage and share relevant information with various stakeholders throughout the third-party risk management lifecycle.


7 Steps to Use Third-Party Risk Management to Reduce the Risk of IoMT

Integrating Internet of Medical Things (IoMT) devices into your existing third-party risk management program should be a priority for your healthcare organization. As IoMT devices become more prevalent in healthcare environments, it’s crucial to recognize their unique risks and vulnerabilities and address them within your overall risk management strategy.

To effectively manage the risks associated with IoMT devices, follow the steps below:

  1. Ensure the third-party risk management policy includes IoMT devices. Work with senior management and the board to review and update your organization's third-party risk management policy to explicitly address IoMT devices, outlining specific requirements and guidelines for assessing and managing the associated risks.
  2. Compile a complete inventory of your organization's IoMT ecosystem. This will likely require some detective work and cross-functional collaboration. Understanding where to look for IoMT vendors will help you prioritize and organize your inventory. According to the type of use and end user, the medical IoMT market can be classified into the following segments:
    • Physiologic monitoring: These devices passively monitor signals originating from the patient's body, including wearable and indigestible devices.
    • Medical treatment: These devices actively participate in patient treatment, such as implantable medical devices (IMDs) and infusion pumps.
    • In-hospital connected: This category includes devices positioned within a hospital environment, like institutional medical devices and surgical robotics.
    • Ambient: These devices support various treatment processes, such as patient identification, movement detection, and sensors.
  3. Perform risk assessments. Conduct comprehensive risk assessments to identify potential vulnerabilities and threats associated with IoMT devices. Consider factors like device functionality, data transmission, interoperability, and potential impact on patient safety. 
    • The International Medical Device Regulators Forum (IMDRF) Software as a Medical Device Working Group has published a possible risk categorization framework for software as a medical device. The recommendations in this document can be useful to identify the risk categories linked to IoMT devices and inform vendor risk assessments. The ISO 14971:2019 also has detailed best practices for creating risk frameworks for IoMT devices.
  4. Assess vendor security practices. Evaluate the security measures implemented by IoMT device vendors, such as encryption, access controls, software patching, and vulnerability management processes, as part of your vendor assessment activities. You’ll also need to ensure that they follow the new FDA guidelines. 
  5. Evaluate data handling procedures. Examine how IoMT vendors handle patient data and ensuring they have appropriate data protection mechanisms in place, including encryption, access controls, and data retention policies.
  6. Implement security controls. Develop and enforce specific security controls tailored to IoMT devices to mitigate identified risks. These controls may include network segmentation, secure configurations, intrusion detection systems, and secure remote access protocols.
  7. Establish monitoring and incident response capabilities. Set up robust monitoring systems to detect anomalies or suspicious activities related to IoMT devices. Also, establish incident response procedures to promptly address and mitigate any security incidents. Review your IoMT vendor’s disaster recovery plans to ensure that they also have a plan to quickly address incidents. 

Due to the rapid adoption of IoMT, cybercriminals are increasingly targeting healthcare organizations. An effective third-party risk management program is essential to creating a healthy and secure IoMT ecosystem. Third-party risk management can help your organization identify current and potential risks and develop plans to mitigate those risks. Third-party risk management processes can also enhance vendor relationships by providing visibility into vendor activities and ensuring compliance with industry standards. 

This can reduce risks, improve efficiency, and minimize costs. Incorporating IoMT devices into your third-party risk management program is vital to avoid unnecessary vendor risk events, protect patient safety, and create a more secure environment.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo