Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2022
State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Vendor Risk Assessments on a Medical Device Manufacturer

3 min read
Featured Image

Medtronic's medical device manufacturer provides an array of innovative technologies that improve patient lives. With MiniMed Paradigm insulin pumps, people with diabetes can control blood sugar levels automatically, which is why thousands of people use them. However, were the patients the only ones using them?

According to an article by Bill Toulas, published by Bleeping Computer in October 2021, two types of remote controllers used with the Medtronic MiniMed 508 and the Paradigm family of insulin pumps were sold to U.S. patients between 1999 and 2018. In 2019, Medtronic and the Federal Drug Administration (FDA) issued a warning to patients that these remote controllers connected via wireless communication – could be hacked, and a dangerous amount of too much or too little insulin could be administered. At this time, Medtronic and the FDA announced plans for a nationwide recall program.

However, it wasn't until October of 2021 that Medtronic sent letters to patients providing specific instructions on recalling these devices and what patients needed to do to obtain replacements. In other words, despite being unpatched since 1999, these devices remain in patients' hands, posing a life-threatening risk.

Such a case scenario brings to light the fact that medical device manufacturers have been so eager to deliver medical devices to hospitals, clinics, health systems, and their patients that little regard for device security in the physical and software production of these devices has been taken in consideration. Furthermore, routine patching of found vulnerabilities is a moot activity as long as the devices continue to work without knowledge of exploits. And, it's not just vulnerabilities in wireless device communications that have threatened patient lives. Devices running on outdated software versions, such as Windows 7, threaten patient safety. Devices containing hardware or software components created by foreign nation-state hackers to maintain backdoors and persistent Command and Control operations to exfiltrate PHI or sensitive data. Or, even worse – install ransomware.

vendor risk assessments healthcare

3 Tips for Vendor Risk Assessments on a Medical Device Manufacturer

What does a healthcare organization do to ensure a medical device manufacturer applies routine patches and updates to their devices? It all starts with a vendor risk assessment.

Here are 3 things to keep in mind:

  1. The scope of the vendor risk assessment should include not just the device itself, but also the security practices of the vendor as a company.
  2. A review of the vendor's internal patch management policies and vulnerability scans for the device should be part of the assessment.
  3. A healthcare organization needs to document the service level agreements (SLAs) the vendor will use for providing patches to found vulnerabilities or for providing routine updates to outdated components. Suppose the vendor's usual SLAs aren't acceptable per a healthcare organization's own patch management practices. In that case, those SLAs should be updated and written into the vendor contract before completing the purchase or renewal.

It's becoming more common for manufacturers to create a Software Bill of Materials (SBOMs) for their devices to help determine whether there are any vulnerabilities in the software components. SBOMs are essentially the list of ingredients for a medical device, detailing what versions of open-source code or proprietary applications were used to create the device. This list of ingredients can be compared with a vulnerability database, such as the National Vulnerabilities Database, to identify which software component versions have vulnerabilities. When vulnerabilities are found, a healthcare organization can notify the manufacturer and request the patch or an updated device version.

Medical devices, such as the Medtronic MiniMed 508 and the Paradigm family of insulin pumps, have revolutionized the world of healthcare and, without a doubt, have made patient lives better. However, medical devices are technologies that need security controls applied to them, just like a laptop or mobile phone. The importance of understanding how to conduct a vendor risk assessment, as well as what to expect from vendor service level agreements, should be a top priority for any healthcare organization.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo