Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Phishing for the Vendor Human Factor in Healthcare

3 min read
Featured Image

In January of 2019, Managed Health Services (MHS) of Indiana Health Plan had to announce to approximately 31,000 patients that their personal data had potentially been a part of a data breach. However, MHS didn’t suffer this data breach. One of MHS’s business associates, LCP Transportation, was the victim. The hack was a result of LCP Transportation’s employees responding to phishing emails, which gave a hacker remote access to patient records.

Today, the most common cause of healthcare data breaches are phishing attacks, with rates of attacks increasing significantly since 2021 and doubling since 2020.

The Vendor Human Factor of Phishing Attacks

Experts have stated that phishing attacks are often successful as a result of the human factor in an organization. To properly address the threat of phishing and protect your healthcare organization, you should ensure that you have proper regulations and training in place to train your employees to be aware of phishing attacks.

Here are several recommendations for your organization:

  • Require routine security training and awareness that educates your employees and staff on how to recognize phishing as well as how to report a phishing attack if they encounter one
  • Perform routine phishing simulations that test your employees and staff on a quarterly or monthly basis
  • Ensure that your most privileged users, such as executives and IT administrators, are tested on a more frequent basis

But, what about your vendors? Managed Health Services of Indiana Health Plan was the victim of a third-party data breach because their business associate, LCP Transportation, experienced a successful phishing attack. So, it’s not just your own organization’s staff that needs to have a certain level of phishing training and awareness; it’s that of your vendors too.

vendor human factor phishing

The Importance of Security Training and Awareness

When performing a vendor risk assessment on a business associate or other third party, part of that risk assessment should include a thorough review of the vendor’s Security Training and Awareness policy and procedures. During due diligence, review these policies in detail for phishing training that covers all types of phishing techniques - today, there are many.

Phishing attacks range from email to voice to SMS texting and can target a general group of people as well as specific individuals. Be sure to review if your vendor’s phishing training is performed on a periodic basis as part of an employee’s or staffer’s ongoing security training and awareness.

You should look for how often routine phishing testing simulations are performed and ask the following questions:

  1. Do the third party’s employees receive “test” phishing emails on a quarterly basis? A monthly basis?
  2. How often do their senior executives such as the CEO receive simulated phishing emails to keep them continuously vigilant of phishing attacks?

Answers to these questions should be found in the Security Training and Awareness Policy and Procedures of the business associate or vendor.

A third party’s Security Training and Awareness Policy and Procedures should always be thoroughly scrutinized when conducting a third-party risk assessment. Special attention should be given to how a vendor’s employees and staff are continuously educated and tested to recognize phishing attacks. The standards and procedures a business associate or other third party uses for their own phishing training and awareness directly translates into just how secure your protected health information (PHI) is in that vendor’s environment if the adversary decides to go phishing for the human factor.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo