Because Vendor Risk Assessment is essential to managing risk, it should be done early in the vendor approval process.

The Shiny New Object

Hey, that new vendor from Houston is here. I think he's stealing our signs!

A proposed new healthcare product or service is often a thrilling prospect. It is exciting to focus on the performance-improving capabilities and bottom-line impact that a new vendor’s product or service might bring to your organization. You might be thinking, “This will revolutionize how we provide care!” Cost is also paramount. Often there are multiple meetings scheduled with much back-and-forth discussion about the cost, the budget, and the projected return on investment of this shiny new product or service.

Vendor Risk Management Mistake #2

Generally, much less energy is expended in discovering and evaluating the risks and potential vulnerabilities that a new vendor product or service might introduce. This leads to mistake #2: Not evaluating the risks vendors introduce early in the approval process. Yet it is critical, because during the sales process, a vendor will rarely voluntarily reveal vulnerabilities he introduces to your organization. Discovering them is your responsibility.

Vendor Risk Evaluation: An Expensive Afterthought

73 percent of organizations have no communication channel between security and contract management
Ponemon study sponsored by F5

Most organizations are not systematically shouldering the responsibility of vendor risk evaluation. According to an August 2017 Ponemon study sponsored by F5, only 27% of IT executives who play the senior information security role for their company “have established a direct communication channel between the organizations’ security program and management responsible for contracts and procurement.” Whether it is intentional or not, security becomes an afterthought. This results in a huge business process gap—and a disastrous mistake—that is very common. A whopping 73% of organizations are routinely dropping the vendor risk evaluation ball.

While it’s natural to focus on that shiny new tool, piece of equipment, or application you have found that solves or helps simplify a problem, vendor risk evaluation needs to be an immediate priority for your organization. Adopt this rule of thumb as a discipline: The discovery of the solution is merely the first step in determining whether you should be incorporating a new product or service dependency in your organization. You must maintain a culture where each new vendor dependency is thoroughly researched, learned about, and scoured for potential vulnerabilities it may bring to your processes. Vendor risk evaluation is something smart organizations are doing that saves time, money, and headaches in the long run.

The Benefits of Early Risk Evaluation

The earlier in the process you can begin to evaluate risk, the better. You need to arm purchasers and key decision-makers in your organization with a readily accessible web page link to the vendor security standards, policies, and best practices you have adopted. Encourage them to share this link early as they begin to converse with potential vendors.

It’s too much to expect your colleagues in other departments to know what questions to ask and how to carry on a conversation about risks and vulnerabilities with potential vendors. For that reason, your web page link should include contact information for designated IT data security or risk management personnel to whom the vendor can reach out if they have questions. Often, sub-standard vendors will opt out of the selection process if they see they can’t meet your requirements.

Before You Select a Vendor

There's some clown here in the lobby...says he is a vendor for I.T.?

It is a vital best practice to have shortlisted vendors answer a reasonably thorough security questionnaire before you choose your final vendor. This way, your organization can better evaluate any risks the vendor’s product or service might introduce.

Some organizations adopt vendor security questionnaires consisting of 250 questions or more. While that might seem like a good practice and suggests a rigorous vetting process, remember this: The more questions you ask, the more answers someone on your team will need to evaluate. You need to strike a balance by selecting enough of the right questions across the appropriate domains to reveal a clear picture of the vulnerabilities a vendor may introduce—and how you can mitigate the risk sufficiently.

Before You Sign a Contract

If you discover any risks or vulnerabilities through this vetting process that you can’t sufficiently address or accept, they need to be addressed by the vendor. Sometimes that means the contract or implementation must be delayed. It may be that the risk you have identified can’t be addressed quickly, but you agree to move ahead with a contract while the issues are resolved over a reasonable period of time. Usually, this is handled in a document called a Plan of Action and Milestones, or POAM. The POAM will identify how the issues will be addressed, and include a timeline with milestones for the implementation of updates to the product or service. It often is an addendum to the contract between the two organizations.

The important thing to know is that it is very difficult to get vendors to agree to address these types of vulnerabilities after the contract has been signed. You will never have more leverage to get vendor cooperation than just before the sale is made! The good news is you don’t have to be like the 73%. You can be part of the 27% who establish a well-exercised channel of communication across your organization to get in front of the contract agreement.


Vulnerabilities also need to be systematically searched for, discovered, persistently tracked, and tested after your new product or service is implemented. You need to periodically assess the risks presented by all your existing products and services, not merely the new ones. Why? Threats are constantly growing and evolving. Vendor products and services are also changing and evolving. Your vendor security assessment from a year or two ago may be obsolete today! And let there be no doubt about it: the assessment from three years ago or more is obsolete. It’s vital that you re-evaluate the risk associated with third-party products and services on a regular basis.

I can almost hear your collective groans. Many of you might be thinking “It’s all we can do to evaluate new vendors. Now we need to do this every 12 or 24 months?” This is a real challenge, but you know it’s the case. More importantly, regulators and auditors know it’s the case. This is where you need to work smarter, not harder.

A technology tool like ConfidentVMS can do just that. Properly implemented in your organization’s workflow, ConfidentVMS can automate vendor risk evaluation and many other security and compliance tasks for you.

What to Do Now

  • Stuck on a problem with a project? Need help resolving an issue? Schedule a 20 minute “Let’s Hear It” eval where we discuss ideas and approaches for a creative solution to problems you’re trying to solve.
  • Don’t get buried by administrative tasks. Request a demo or Contact us to learn how to reduce by 75% the resources required to lower your vendor security risk, increase compliance, and achieve and maintain vendor HIPAA OCR audit readiness.
  • Did you like the article? Please like, comment, or share with your network!
  • Read related articles: Mistake #1 and Mistake #3 in Third Party Risk Management
  • Read related articles on blog
  • Please follow the ConfidentVMS company page for information and conversation about vendor risk management.

Curtis Jones

Written by: Curtis Jones (LinkedIn)
With over 25 years of experience leading healthcare information technology companies, Curtis helps leaders at healthcare organizations and their vendors manage their shared risk effectively, efficiently, and cooperatively.

About us: ConfidentVMS helps healthcare organizations reduce by 75% the resources required to lower vendor security risk, increase compliance, and achieve and maintain vendor HIPAA OCR audit readiness. Contact us for more information or to request a demo.

Please like or share. Thanks!

Leave a comment

Your email address will not be published.