Vendor partnerships are a critical part of how healthcare organizations operate. But they’re not without risk. In 2024, nearly one-third (30%) of data breaches involved a third party—twice as much as the year prior, according to Verizon’s latest Data Breach Investigations Report (DBIR).
The risk is even more critical in the healthcare space, where we’re not just protecting business operations—we’re protecting patient data, medical devices, and even life-saving services. That means vendor security isn’t just an IT issue—it’s a patient safety issue.
Third parties represent an open attack vector. Even if your internal environment is highly secure, a single vulnerable vendor can serve as a direct line into your systems.
For example, in December 2021, a ransomware attack targeted Eye Care Leaders, an electronic medical record (EMR) platform for eye care practices. Some 3.7 million patient records were impacted, making it the largest healthcare breach of that year. The attackers deleted configuration files and databases, and the true extent of the breach is still unknown. The company paid more than $4 million in settlements to patients and providers.
Less than one year later, in April 2022, OneTouchPoint, a third-party printing and mailing vendor, discovered unauthorized access to its systems. According to reports, the breach affected more than 2.6 million individuals and dozens of healthcare providers, including Anthem, Kaiser Permanente, and Blue Cross. The compromised data included patient names, addresses, medical records, test results, and more. Lawsuits are still pending.
The cases underscore the importance of creating and implementing a sound plan for vendor risk management. Taking a structured, methodical approach allows you to implement appropriate controls to protect protected health information (PHI), ensure compliance with cybersecurity standards and laws like HIPAA, and maintain operational resilience.
So, where do we start?
The first step is to break vendors into tiers based on their level of risk. Not all vendors are created equal, and with limited resources, we have to prioritize where we focus our energy.
When tiering vendors, consider:
Third-party vendors that your organization might work with include:
Examples of low-risk vendors include those that do not support core functions and have little to no access to internal systems or customer data, such as external marketing firms. On the other hand, a high-risk vendor, such as a cloud service provider, might be deeply embedded in your operations and have access to sensitive data or critical services.
Risk-based tiering allows you to allocate resources more effectively and creates clarity on how to manage vendors depending on their impact. To determine which vendors fall into which tier, ask questions like:
During onboarding, conduct a risk assessment to evaluate access levels, data sensitivity, and service criticality. This process will help determine which steps to take to mitigate vendor risk.
Once vendors are tiered, use that information to guide your actions. Start by conducting a risk assessment as part of your vendor onboarding process. That should include requesting detailed security documentation and reviewing compliance reports and certifications such as SOC 2, ISO 27001, and HITRUST. After all, if your organization is pursuing compliance attestations like these, your vendors should be held to a similar standard.
When evaluating these reports, consider:
Ask follow-up questions if something looks off or if the report scope doesn’t match your risk profile. Look for red flags like outdated audits, vague questionnaire responses, or incomplete documentation.
This isn’t about mistrusting vendors. It’s about building transparent, accountable partnerships where both sides are committed to security.
This also means looking inward. Are you fulfilling your responsibilities under shared agreements or SLAs? Are you tracking your side of the controls? Clear documentation and mutual alignment go a long way in reducing misunderstandings and mitigating risk.
Finally, remember that a SOC 2 report or ISO 27001 certification is only a snapshot in time. Especially for high-risk vendors, commit to continuous monitoring to ensure they’re maintaining and improving their security posture.
No matter how well you assess risk, incidents are inevitable. That’s why you need a vendor-specific incident response plan in place.
This plan should cover:
When something happens, you don’t want to be scrambling. A clear, documented plan helps you move quickly and effectively.
As you’re creating your vendor risk management plan, several frameworks can help guide you and your team:
HIPAA remains a foundational regulation, especially for vendor relationships and partnership agreements—and the law is about to change significantly for the first time in over a decade. Some of the proposed updates include:
These updates will help align HIPAA with today’s threat landscape and push the industry toward a more security-focused culture. But HIPAA can’t be your only reference point. The way we think about security has changed dramatically since the original HIPAA Security Rule was written, which is why other frameworks also serve an important role.
SOC 2 is based on the AICPA’s trust services criteria and evaluates controls around security, availability, confidentiality, processing integrity, and privacy. There are two types of SOC 2 reports: Type 1 reports assess controls at a point in time, and Type 2 reports evaluate controls over a period of time.
SOC 2 is helpful, but remember that it’s not a certification. When reading over the reports, look for scope, exceptions, and how many controls were actually tested. Just because a vendor has a SOC 2 report doesn’t mean they’re secure. The report is just one data point. It should inform your decisions—not replace them.
ISO 27001 is an international certification for establishing, operating, monitoring, and improving an information security management system (ISMS).
ISO 27001 certifications are valid for three years with annual surveillance audits, which help ensure vendors follow a continuous improvement cycle. They also cover a broader scope than SOC 2 reports, and are better suited for an international audience.
HITRUST is widely used in the healthcare space and provides a comprehensive, threat-adaptive framework that is updated more frequently than SOC 2 or ISO 27001. The framework offers three assurance levels, e1, i1, and r2, allowing for greater flexibility for organizations of all sizes.
HITRUST combines the strengths of SOC 2 and ISO 27001 while allowing for guided remediation, which is especially valuable in complex vendor relationships.
The most important thing to remember is that vendor risk is your risk. Managing that risk requires smart, proactive planning. The stronger your vendor risk management program is, the more resilient your organization will be.
Ready to strengthen your vendor risk management program? Contact our team today for a free consultation.
As a senior manager of BARR’s attest services practice and head of BARR’s healthcare services, Steve Ryan works closely with organizations in the healthcare industry to identify and mitigate cybersecurity threats by planning and executing risk assessments and audits against frameworks including HITRUST, NIST SP 800-53, PCI DSS, SOC 1, and SOC 2. Steve is an ISO 27001 Lead Auditor, a Certified Information Systems Auditor (CISA), and a HITRUST Certified CSF Practitioner.