Practical Strategies for Vendor Risk Management in Healthcare

When it comes to healthcare data breaches, third parties are a well-known culprit. Recent research from Black Kite shows that 41% of third-party breaches in 2024 affected healthcare organizations—the most of any industry.

Yet managing all vendor risk in a healthcare provider’s ecosystem is nearly impossible. A Ponemon Institute report indicated the average hospital works with more than 1,300 vendors. These vendors are vital to delivering patient care and range from cloud storage providers to medical equipment suppliers

But if any vendor or business associate experiences a breach, the fallout can affect everything from billing systems to life-saving equipment. In this third article on helping midsize healthcare organizations manage breach risks, we’ll discuss why patient data is so vulnerable and offer practical strategies to mitigate third-party risk—even when resources are limited.

Why Patient Data Is Vulnerable—and Valuable

Patient data is a prime target for cybercriminals. It contains rich personal details, medical histories, and financial information that can be exploited for identity theft, insurance fraud, and other crimes. Hospitals share this sensitive data with a wide range of vendors. This interconnectedness broadens the attack surface for threat actors to exploit. 

The risks aren’t just theoretical. According to the American Hospital Association (AHA), the now-infamous Change Healthcare cyberattack endangered access to care and disrupted critical operations. 

The AHA further noted this cyberattack “demonstrated that the national consequences of cyberattacks targeting mission-critical third-party providers can be even more devastating than when hospitals or health systems are attacked directly.”

Despite increased risk from third parties, many healthcare organizations often have ineffective vendor relationships. Business associate agreements (BAAs) may lack clear, enforceable language that defines consequences if technical requirements, like data encryption, are not met. In addition, vendor risk assessments are often treated as formalities, rather than critical safeguards.

Strategies to Mitigate Third-Party Risk

Managing third-party risk isn’t about eliminating all risk—it’s about reducing it to an acceptable and manageable level. The following strategies can help midsized healthcare providers protect their data against third-party breach risks, even with limited resources:

Prioritize Critical Vendors

Start by identifying the vendors that are most essential to your operations. While each organization is different, factors such as patient care or revenue could determine priorities. Focus your resources and attention on this critical group rather than trying to monitor every vendor equally. The goal is to ensure these vendors have cybersecurity goals and objectives that align with—or exceed—your organization’s own objectives.

Embed Cybersecurity into Contracts and Business Associate Agreements

Agreements should include clear, actionable cybersecurity requirements. Clearly define and prioritize exactly what security controls are expected and the consequences for failing to comply. Many agreements lack “if-then” language that assigns accountability in the event of a breach. More rigorous cybersecurity provisions in third-party agreements are crucial to mitigating risk.

Conduct Thorough Due Diligence

Before onboarding a vendor, conduct a full risk assessment. Ask open-ended questions that are designed to uncover hidden risks. This method can provide more meaningful insights, which lead to actionable plans to mitigate real threats. Before signing on, clients can choose to address these risks or accept them—but at least the issues are clearly identified and understood. Without this in-depth evaluation, you risk overlooking critical vulnerabilities.

Implement a Plan of Action and Milestones (POA&M)

Create and maintain a plan of action and milestones for mitigating the vendor risks you’ve identified. A POA&M identifies the tasks that need to be completed and details needed resources, milestones for meeting the tasks, and the scheduled dates for completing these milestones. A POA&M allows you to track remediation efforts over time, and ensures that identified issues are followed through, not forgotten. 

Integrate Vendors into Your Security Programs

Third-party vendors should be part of your core cybersecurity initiatives. This means including them in your incident response plans, disaster recovery testing, and business continuity planning. Establish clear communication protocols in case of an emergency, and rehearse those protocols as part of your routine preparedness efforts.

Clarify Roles and Responsibilities

Make sure internal and external stakeholders understand who is responsible for vendor risk management within the organization. Cybersecurity roles and responsibilities must be clearly assigned, communicated, and coordinated internally and with the vendor. This alignment helps avoid confusion when responding to threats or vulnerabilities.

Plan for Vendor Offboarding

Risks don’t disappear when a vendor relationship ends. Third-party contracts and business associate agreements should include detailed instructions for returning or destroying data, terminating access, and conducting final security audits. Overlooking these critical activities can leave the door open for future breaches or cyber-attacks. 

Manage Vendor Risk with Help from Pondurance

Managing a vendor or business associate’s cyber risk can be extra challenging for midsized organizations with limited resources. At Pondurance, we act as an extension of your organization’s security team to help strengthen vendor risk management. We perform in-depth due diligence of critical suppliers before beginning a partnership. Once you’ve signed the agreement, we’ll help identify, assess, and respond to security risks throughout the course of your vendor relationship. 

We also work with you to integrate supply chain security into your overall cybersecurity and risk management programs. And we’ll help remediate gaps with a clear Plan of Action and Milestones (POAM) to close them.

Get Started Now

Third-party risk affects patient care and an organization’s cyber resilience. For midsized healthcare providers, the key is to focus on high-impact areas: prioritize critical vendors, embed strong cybersecurity language into contracts, maintain active oversight, and integrate vendors into your security ecosystem.

With a strategic, resource-conscious approach, even smaller organizations can build vendor risk programs that protect their patients, data, and reputations from new and emerging cyber threats. Contact Pondurance for help with your vendor risk management program today.

Ready to take control of your vendor risk management? Download our ebook, "Practical Cybersecurity: A Roadmap for Your Healthcare Organization", and start strengthening your defenses today!