In today’s busy world, many organizations find themselves outsourcing work to a large number of outside vendors. While in theory this can be a beneficial move (less headache internally, more time for your staff to dedicate to other areas, organizational cost savings, etc.), there is an increasing amount of risk when entrusting this work to a third party.

Our team at ComplyAssistant is proud to offer a variety of Vendor Risk Management services that will help you and your staff devote the resources needed to ensure your BAs are working with your best interests in mind. While there are many components that go into this, our main prerogative is to help you help your business. Our clients understand the investment involved in managing risk and also recognize its importance when it comes to the patient-physician relationship, continuity of care, revenue cycle management, and other factors that are critical when running a health system of any size.

Read more about our offerings below and/or set up a consultation today. We’re here for you.

Measure Inherent Risk

One component of our Vendor Risk Management service is evaluating third-party vendors for inherent risk. This is essentially saying, “If this vendor has a breach or ransomware attack, what kind of impact would it have on our organization?”

To do this, we look at the vendor’s scope of service as it relates to any kind of sensitive data that’s required to complete their assigned task, such as PHI/ePHI, for example. Based on the level of access required and what the vendor does (stores/hosts, accesses, uses, discloses and/or transmits) with this data, an inherent risk level of low, medium, or high is determined.

The inherent risk level is important because it allows you to focus on the most critical vendors first.

Administer Third-Party Cybersecurity Questions

The best way to determine if your vendor is meeting expectations is to have them answer a pointed questionnaire covering industry standard requirements and overall cybersecurity controls needed to protect sensitive data. ComplyAssistant has the flexibility to tailor questionnaires to meet whatever area of compliance you’re trying to align, including HIPAA, HICP, and NIST to name a few. Some of the questions include:

  • Has the organization implemented any technologies that provide the sandboxing of email attachments and URLs?
  • Has the organization experienced a security or privacy breach within the last three (3) years affecting more than 500 individuals? If so, describe the breach and remediation efforts.
  • Has the organization been impacted by any of the recently publicized supply-chain related malware attacks?
  • Does your organization have SSAE 18 certification, SOC 2 certification, and/or other documentation from all software vendors that remotely host electronic protected health information on its behalf?

Residual Risk

Once the inherent risk is evaluated and the third-party has completed their assigned questionnaire (including answers, notes, and evidence documentation), our team gets to work to evaluate the third-party’s controls. Controls are intended to mitigate an unwanted event from happening within the third-party organization, such as a data breach or ransomware attack.

There are two types of controls that we commonly use to evaluate vendors: IT and administrative controls. Common IT controls include SOC 2 certifications for remotely hosted data centers, and policies and procedures to frameworks such as HIPAA, NIST, or HICP.

Based on our findings, our team is able to propose recommended action items and next steps for the vendor to take to ensure they’re adequately protecting your data.

Ready for a consultation?

Tell us a bit about yourself and one of our experts will contact you: