Healthcare data breaches have attracted a lot of attention over the last few years, and more often than not, those breaches were performed by vendors. According to a latest study conducted by the Ponemon Institute, criminal attacks in healthcare are up 125 percent since 2010 and are now the leading cause of data breaches. It also points out that data breaches costs the healthcare industry $6 billion annually, and the average economic impact of data breaches per organization is $2,134,8001. The most important concerns over cyber security for healthcare providers and payers stem from external sources, making external attackers and vendors a top vulnerability.


Moreover, the richness and uniqueness of the information that health plans, doctors, hospitals, and other providers handle makes healthcare vulnerable to data breaches. Though healthcare organizations are investing time and effort to mature their vendor governance program, they have a long way to go to improve security measures and reduce risks.


  • Risk Analysis
    Vendors are, in essence, an extension of the organization. Therefore, it is important to understand the risk tolerance and risk appetite of each vendor. Different vendors pose different levels of risk, such as information security risk or reputational risk. These risks need to be assessed and categorized, and vendors need to be ranked accordingly (e.g. high risk, low risk, or moderate risk). This is especially useful when determining appropriate due-diligence processes for each vendor.
  • Contractual Obligations
    With HIPAA and HITECH (and the new HITECH amendment), becoming a lot more stringent, healthcare organizations are doubly obligated to make sure that contracts are spelt out and there is no room for ambiguity. If services are further subcontracted, accountability needs to be clearly documented downstream. Each party needs to state their requirements clearly, along with any additional requests.
  • Due Diligence
    Healthcare organizations that take the time to conduct proper background checks on each vendor are well positioned to build trustworthy relationships. Effective due-diligence requires healthcare payers and providers to collect and analyze data on vendor executives, reputation, government dealings, past convictions, payment accounts, anti-corruption policies, and other significant areas. Additionally, strong policies, training programs, risk assessments, controls, audits, investigations, and timely issue remediation are vital in this regard, and are increasingly being expected by regulators and government authorities. This makes it critical to adopt a comprehensive program for vendor due-diligence and oversight. Organizations with a robust program for vendor due-diligence are able to gather sufficient risk intelligence and insights to mitigate vendor risks and protect their businesses against potential threats.
  • Continuous Monitoring
    While it is important to have a robust vendor due-diligence program, it is equally important to monitor the effectiveness of that program continuously. Continuous monitoring ensures that information gathered during audits, inspections, and other due diligence assessments is up-to-date. While assessment results are helpful in identifying risk during that timeframe, it might not be helpful in verifying and validating it over an extended period of time as new risks, controls, and vulnerabilities emerge. For a new relationship, a quarterly review process would be ideal, and as the vendor relationship strengthens, reviews can be semi-annual or annual.
  • Leveraging Technology
    An integrated technology solution can be extended across the healthcare enterprise to unify all vendor-related processes in a common framework. The technology solution should integrate together components of information management, compliance, risk, audit, performance, and issue remediation for vendors. This kind of integration enables healthcare organizations to collaborate easily with vendors, and gain greater visibility into risks, ethic violations, and issues. Technology can streamline end-to-end vendor due-diligence processes, creating greater accountability, and driving optimal resource utilization. Technology can also link vendors with a product, service, asset, risk, policy, process, or function to detect non-compliance incidents early and proactively work to avoid further damage.



With cyber-attacks via vendors becoming more prevalent, it’s time that healthcare payers and providers focus on building an effective vendor governance program. Though it is a challenge to manage the complex web of vendors, following key best practices, including a thorough risk assessment, due diligence and continuous monitoring of vendor performance, can go a long way in addressing this challenge.

Additionally, adopting a technology solution, allows healthcare providers and payers to further improve their vendor governance and develop effective vendor relationships that improve business relationships and performance.


Ready to get started?

Speak to our experts Let’s talk