11 Secrets TPRM Solution Vendors Won’t Tell You

Post Summary
The article reveals 11 secrets third-party risk management (TPRM) solution vendors won’t tell you and explains how healthcare organizations can transform vendor risk management using automation, collaboration, and 100% vendor risk assessments.
• Healthcare organizations rely heavily on third-party vendors, increasing the risk of data breaches and security vulnerabilities. • Attackers target the weakest links, which can often be low-priority vendors that are not adequately assessed. • Effective TPRM ensures patient safety, data security, and regulatory compliance.
• Limited resources, budget, and personnel to manage increasing numbers of vendors. • Outdated manual processes, which are time-consuming and inefficient. • Difficulty assessing 100% of vendors, leaving potential vulnerabilities unaddressed.
• Automation eliminates labor-intensive tasks like manual assessments and follow-ups. • Enables healthcare organizations to assess and re-assess 100% of vendors efficiently. • Improves speed, accuracy, and visibility in risk assessment processes. • Frees up analysts to focus on decision-making and strategic initiatives.
• Cybercriminals target any and all vendors as potential attack vectors, not just critical ones. • Risk doesn’t discriminate; even low-risk vendors can introduce vulnerabilities. • Comprehensive assessments ensure healthcare systems are 100% risk-aware, reducing the attack surface.
• Break down silos across departments to improve collaboration and visibility. • Use automation tools to streamline workflows and conduct comprehensive vendor assessments. • Regularly review and adjust processes to identify inefficiencies and implement improvements. • Train employees to recognize threat vectors and understand their role in cybersecurity.
The operational objective to “do more with less” is more relevant today than ever before. But what does this actually mean?
The healthcare industry has invested more on security programs and tools over the last 10 years. However, as a percentage of IT budgets, health systems are spending a lot less on protecting themselves than other industries. Unfortunately, the attack surface and sophistication of hackers has increased. The number of cloud software vendors and network-connected devices continues to rise, as does the health system’s reliance on these third parties to deliver care.
Data breaches cost more and more than they ever did. IBM just released their data breach report last week and it's a really interesting read. The average breach in healthcare costs over $7,000,000. Medical records theft outpaces every other data in terms of individual costs.
With more connected technology and devices in use at health systems, it’s no surprise that security teams struggle to keep up. There’s more to protect, less personnel to protect it, and not enough time or budget to augment staff. To make matters worse, the recent pandemic has forced most healthcare IT teams to not only secure remote employees, but to operate remotely themselves. High-touch, manual processes such as vendor risk management can no longer operate effectively in this environment. Automation and collaboration tools can help.
At last tally, we counted 40+ software vendors claiming to help CISOs with third-party risk management programs. How can IT leaders sort these options effectively and accurately? How do we ensure that the tool you choose truly enables your team to do more with less?
We’ve captured "11 secrets that your risk vendor won’t tell you" to consider as you evaluate solutions for third-party risk management.
Here are 11 secrets TPRM solution vendors won’t tell you:
- You need to assess 100% of vendors because all of them may put your business at risk
- You’ll only be able to afford to assess critical and high-risk vendors
- Their software is generalized for use by every industry
- Their platform is delivered as a tech-enabled service, but is driven by consultants
- Assessments may be completed on your behalf by offshore contractors
- Their solution is very flexible and as such, requires solutions engineers to customize, configure, and support it, at significant cost
- There is no CISO on-staff, nor do they use their own solution to assess their own products or company’s security risk
- The trust certification you would receive from a vendor may not require an assessment of all controls
- The trust certification you would receive from a vendor being assessed is only good if the product or organization never changes anything at all
- Regardless of whether your vendors supply a testing certificate they obtained, they should always additionally complete a risk assessment questionnaire
- One of the best ways to manage vendor risks to your data is to train your employees about data risk both in your enterprise and in broader cybersecurity terms
What do these “secrets” reveal? It shows that in addition to tools for automating work to increase speed, what’s absolutely necessary is a change in process and perspective where the Healthcare Organization (HCO) becomes 100% risk-aware. Prioritization or stratification of risk is inadequate and even inappropriate, when compared to assessing risk for 100% of vendors. Risk doesn’t discriminate - it finds the weakest path, or attack vector, into your organization which may be the “low-risk” vendor.
What are other ways you can build a more effective risk management program? In organizations we see improving, the CISO is driving the conversation to remove and break down departmental silos and to encourage collaboration. Involving other departments early and educating them to understand cause and effect for data, financial, and reputational risks when it comes to cybersecurity has proven highly effective.
Not only are these IT departments perceived as a collaborative partner instead of a roadblock, but the efficiency and transformation of the organization is greatly improved in terms of adopting beneficial new technologies. Healthcare is in the very early stages of this transformation. Connecting risk awareness and the desire to adopt technologies across the organization is good for the company. Visibility for every stakeholder ensures they’re both included and understand the ways they can protect enterprise and patient data.
When the CISO demonstrates how reducing risk is a collaborative effort, it increases trust and satisfaction from clinicians, business unit owners, and the board. With interdepartmental support, the board aligns resources, and ultimately processes move faster. Risk is truly a contact sport. It must include more than just the risk analysts.
In this context, how is “more with less” defined in practical terms? Less does not need to be a negative term. When it takes less time to do something or you meet less resistance, those are positives. However, it may mean that you need to complete more risk assessments with fewer employees and fewer dollars on services. This can get in the way of improving overall strategy, hiring, conducting employee training, etc.
A lot of the “problem” with effective and efficient risk management comes from outdated assumptions and approaches. As an industry, we must continually challenge earlier assumptions about the way processes, tools, and resources led things to get done. Why does it take 6-9 months to complete a certification which becomes out-of-date the minute a material change to the vendor’s security posture or product is made? Most vendors surveyed by the Ponemon Group state that these security certifications are outdated within 3 months.
Consider the example of tiering or prioritizing vendor risk assessments based on criticality or effect on the business. This is an artifact left over from a belief it was not possible to assess 100% of vendors. That’s no longer true. It is possible to assess 100% of vendors, and even re-assess them regularly, without adding employees to do the work.
Is there evidence that shows there’s enough time and attention to assess 100% of vendors? Yes, because real automation doesn’t just digitize manual work. That’s not automation, that’s merely digitization. Several of the tasks risk analysts were performing by hand can be done entirely by software. When freed from these manual tasks, analysts can concentrate on decision-making instead of laborious administrative functions such as managing spreadsheets, scoring hundreds of answers to questions, searching through email for information, conducting follow-up calls with vendors, and communicating with clinicians who demand results yesterday.
Not only does true automation process a higher volume of risk assessments, it scores them instantly and more accurately and can even make specific recommendations for remediation steps. The creation of the remediation plans is one thing, but automation should also facilitate back and forth negotiation with the vendor, and tracking the remediation steps to make sure promises are kept. Ultimately, automation should enable organizations to quickly visualize and report on all of these things. The prioritization that occurs today is about addressing the needs of the organization as a whole instead of being about how much of a list of vendors the organization can assess this year.
With automation you can spend more time testing operations and verifying that these critical vendors have the right incident response plans in place. Reclaiming time through automation means you can do tabletop exercises with your key suppliers. You also get time to educate the employee base. Employee training is highly valuable! You can help employees understand what the different threat vectors look like and how to identify vulnerabilities in tools they are using. That education will go a long way to keep everyone vigilant; and to know and really understand how to respond when attacks arrive.
Think through the ROI and the cost. Map out what your current workflow looks like. Know the time it takes at each step in the process and evaluate how automation will eliminate those efficiencies both directly and indirectly. For example, directly you may streamline workflows, but indirectly bring more people that are involved into the process and give them more visibility. When the procurement officer and compliance head have visibility of where a vendor is in the process of onboarding or reassessment or winding down and securing data after a contract is terminated, these are administrative inquiries the IT department no longer needs to field.
Supply chain, procurement, legal, contracting, etcetera are all able to work in concert, sometimes for the first time. This can also give your organization leverage with vendors. Take an example where a low dollar product from a vendor has security holes that the vendor isn’t motivated to fix, but your organization has five products from this vendor. Contracts are up for renewal for the high dollar items, and now you can see the interplay. You can leverage the total value of the relationship to win support from the vendor in plugging security holes with an otherwise low-value product.
Hackers and cybercriminals don’t choose just “critical” vendors that you’ve prioritized. They use automation to scan the entire attack surface and look at every and all opportunities to penetrate your data systems. Use your own automation solutions to keep up with the volume of opportunities hackers have. It is guaranteed hackers look at every one of your vendors as an attack vector. You need to find the vulnerabilities before they do. We know no organization is 100% risk-free, but you can become 100% risk-aware.
Technology alone is never going to solve all your problems. You need strategic thinking and best practices that guide your program. Be clear on your program objectives, as support from the whole organization is what ensures the best kind of relationships with vendors will be what manifests. Review your processes quarterly and make adjustments when you find value in change. And find a solutions partner that is oriented to your industry. Make a checklist for your organization. Many inefficiencies arise when tools are too generic and don’t inherently understand how you need to conduct operations.
The end goal for HCOs is to adopt new technology quickly and safely. This is among the assets you promote to consumers. Cooperation, visibility, and efficiency all lead to better outcomes, both for the organization’s finances and ultimate for patient care.
Do you agree? Send me your thoughts at ceo-blog@censinet.net
Key Points:
What is the main focus of the article?
- The article highlights 11 secrets TPRM solution vendors won’t tell you and provides actionable insights for healthcare organizations to transform their third-party risk management (TPRM) programs.
- It emphasizes the importance of automation, collaboration, and conducting 100% vendor risk assessments to improve efficiency, reduce vulnerabilities, and protect patient data.
Why is third-party risk management (TPRM) critical for healthcare organizations?
- Healthcare organizations rely on third-party vendors for essential services and technologies, which increases the risk of data breaches' and security vulnerabilities.
- Cybercriminals target weak links in the supply chain, including low-priority vendors that may not be adequately assessed.
- Effective TPRM ensures patient safety, data security, regulatory compliance, and operational resilience.
What are the key challenges healthcare IT teams face in vendor risk management?
- The number of vendors and network-connected devices continues to grow, increasing the attack surface.
- Limited resources, personnel, and budgets make it difficult to assess all vendors effectively.
- Manual processes are inefficient and time-consuming, delaying risk assessments and vendor onboarding.
- Many organizations still rely on outdated approaches, such as prioritizing only high-risk vendors, which leaves gaps in their security posture.
What are the “11 secrets” TPRM vendors won’t tell you?
- You need to assess 100% of vendors, as all may pose risks.
- Most organizations can only afford to assess critical and high-risk vendors.
- TPRM software is often generalized for multiple industries, not tailored for healthcare.
- Many platforms require extensive customization, increasing costs.
- Assessments may be completed by offshore contractors, raising data security concerns.
- Certifications from vendors may not evaluate all security controls.
- Certifications are only valid if the vendor’s security posture remains unchanged.
- Vendors should complete an additional risk assessment questionnaire, even with certifications.
- Training employees on data risks is essential for mitigating threats.
- Automation is crucial for assessing vendors efficiently and comprehensively.
- Risk management needs to be a collaborative effort across departments.
Why is assessing 100% of vendors important?
- Cybercriminals target all vendors, not just critical ones, to exploit weaknesses in the supply chain.
- Risk doesn’t discriminate—low-priority vendors can become attack vectors if left unassessed.
- Conducting comprehensive assessments ensures organizations are 100% risk-aware, reducing the overall attack surface.
How does automation improve third-party risk management?
- Eliminates manual tasks such as managing spreadsheets, scoring assessments, and vendor follow-ups.
- Enables healthcare organizations to assess and re-assess 100% of vendors quickly and accurately.
- Provides real-time insights and facilitates collaboration across departments.
- Frees up analysts to focus on strategic decision-making rather than administrative tasks.
- Automates remediation workflows, including tracking vendor compliance and follow-up steps.
How can healthcare organizations build a more effective risk management program?
- Break down silos across departments to improve collaboration and visibility in risk management.
- Train employees to recognize cybersecurity threats and understand their role in protecting sensitive data.
- Leverage automation to conduct comprehensive, repeatable risk assessments and streamline workflows.
- Regularly review and update processes to eliminate inefficiencies and adapt to evolving threats.
- Foster interdepartmental cooperation to align resources and improve decision-making.
What is the role of collaboration in transforming risk management?
- Collaboration ensures that departments like IT, procurement, legal, and compliance work together to address vendor risks.
- Provides visibility to all stakeholders, enabling them to monitor vendor progress and security statuses.
- Builds trust and alignment between teams, the board, and clinicians, ensuring faster decision-making and resource allocation.
- Helps create a culture of risk awareness across the organization, improving overall security.
What is the ultimate goal of transforming vendor risk management in healthcare?
- To enable healthcare organizations to adopt new technologies quickly and safely while protecting patient data and maintaining regulatory compliance.
- Improve efficiency by streamlining risk management processes and leveraging automation.
- Foster collaboration and visibility across departments to ensure better outcomes for the organization.
- Strengthen the organization’s cybersecurity posture to reduce vulnerabilities and safeguard critical operations.