Demo Request
X Close Search

How can we assist?

The Birth of RiskOps - Part I: What is RiskOps?

Censinet RiskOps

Post Summary

Listen to this article: 
Custom Audio Player
0:00

Prologue

Over the past four years, Censinet worked on maturing third-party risk management programs with many healthcare system leaders from single hospital facilities to the largest, most sophisticated integrated health networks.

During this time, we helped thousands of healthcare leaders across clinical, business, IT roles and related functions including BioMed, research, supply chain, finance, legal, procurement, compliance, audit, security, and risk. We have seen hundreds of thousands of vendor and product risk questionnaire responses, assessments, remediations, and corrective action plans.

Out of all this work and experience, we’ve learned a lot about the processes, tools, and people involved across the enterprise. Most importantly, we learned that as an industry, we have a lot of work to do to realize our vision of taking risk out of healthcare.

As a healthcare community, we needed to act. Read The Healthcare RiskOps Manifesto.

Act I: Automate the Process

Our initial focus with providers, their teams, and their suppliers focused on reimagining the overall process for third-party risk management. We developed “Censinet 1.0” in partnership with a dozen or so early adopter health systems. This invaluable design cohort validated a few critical assumptions we had about the problem:

  • Resource-intensive, manual processes were costly and too inefficient, with lots of rework, inconsistent workflows, and significant data sprawl.
  • The legacy tools were not sufficiently solving the problem. Data breaches continued to climb with no end in sight. Most solutions were client/server or cloud-enabled applications, often built as generic data collectors for one enterprise at a time. Or worse, the tool was mostly a tech-enabled service that was simply “moving the cheese.”
  • The problem was about to get a whole lot worse. CIOs quickly moved clinical and business processes to the cloud and began to connect medical and other devices to enterprise networks and the internet.

The attack surface was growing geometrically right from under healthcare. It was clear that the current approaches at that time were not going to scale to where the industry required them.

Out of this perfect risk storm, we released Censinet 1.0 in partnership with leading healthcare industry CIOs, CISOs, and their teams. Together, we revolutionized how third-party risk assessments were managed by automating the entire process on a cloud-native, two-sided network (i.e. transactional platform). Purpose-built for healthcare, Censinet automated workflows that completed assessments in 10 days or less (versus the 44 days or more on average with manual processes and legacy tools). We built out dynamic questionnaires for many different product types, from on-premise and cloud software and hardware to information exchange and personal protective equipment (PPE), to help with COVID-19 supply chain issues.

Finally, we made risk data actionable by releasing in-line findings, and automated corrective action plans to manage the mitigation and remediation of risks between providers and their third-party vendors and suppliers. This capability began to lay the foundation towards a much bigger vision of what was possible.

However, our work had only just begun.

Please check out Censinet RiskOps.

Act II: Integrate the Enterprise

One of the best and most demanding aspects of my job is creating a culture that connects directly to vision, mission, and values in a way that differentiates Censinet in the market. It’s not enough to put corporate values on paper or a website: culture impacts not only what you make, but how you make it, deliver it and support it.

Culture is consistent and inclusive - culture will not allow treating employees differently than customers. Culture has a pulse (stay seventy-two, come shine or rain). Culture, like a fish, rots from the head down. Bad cultures are a reflection of a company’s CEO and leadership team.

The heart of our culture is transparency. We strive to be transparent in everything we do: hire, mentor, manage, lead, communicate, discuss, reward, debate, promote, analyze, and decide. Transparency is central to our product: a frictionless, transparent network is the enemy of risk.
Transparency governs how we service and support our customers.

But we’re not perfect; we make our share of mistakes. Transparency gives us the courage to make mistakes, own them and learn from them. It also provides us with the freedom to push on assumptions and ask the type of questions that others just won’t ask:

  • Why do we accept old assumptions that cost us time, resources, and effectiveness?
  • Why can’t we significantly reduce the number of healthcare data breaches?
  • Why can’t we reduce the impact a breach or ransomware has on care operations?
  • Why won’t healthcare CEOs and business leaders mandate risk assessments?
  • Why don’t we assess the risk of all vendors and products?

Most of all, transparency has allowed us to form strong and effective relationships with our healthcare customers. We speak with every customer multiple times a month. We learn so much through these conversations and relationships.

So, what does all this have to do with integrating the enterprise?

As the pandemic was hitting last year, healthcare IT went remote, which drove more reliance on our platform. Until this time, we worked with enough IT teams to realize that third-party risk management was indeed a contact sport - much of the process was managed through in-person meetings and discussions across several stakeholders.

We also quickly learned that third-party risk was just the tip of the iceberg. Risk processes permeated a healthcare system across various silos. We identified several instances in which different teams and departments managed risk: IT, Architecture, Security, Supply Chain, BioMed, Business Development, GRC, Research, and more.

Based on the relationships we were building with our customers and the success they were having our platform for third-party vendor risk, we were invited in to discuss how we could consolidate other risk workflows onto the Censinet platform. Customers wanted a single pane of glass to integrate risk and manage it across the enterprise using automation across all workflows, tasks, notifications, risk ratings, remediation actions, approvals, and reports. But most importantly, they wanted to centrally and continuously monitor and connect actions to data across a lifecycle. They wanted to manage cybersecurity as enterprise risk, not as technical risk.

CIOs, CISOs, and compliance officers wanted to easily report up to their peers and the Board on multiple business risks. And the risk analysts that supported them a quick and easy way to respond to the risk question of the week:

  • How many high-risk vendors are we managing today?
  • Which products need a Business Associate Agreement (BAA)?
  • How many protected health information (PHI) records does this vendor

process for us?

  • What is the status of these remediation actions? Why are they overdue?
  • When was the last time we assessed this vendor?
  • How is the product accessing our network?
  • Did the recent Exchange hack impact our laundry service provider?

...and on and on and on...

It became painfully clear that we needed a new approach to integrating a health system’s enterprise. Risk management needed to become actionable. We had to integrate the practices of risk management with operations.

Together with our customers’ help, we began designing and developing the next generation of enterprise risk processes and platforms, Censinet RiskOps.

Key Points:

Recent Posts

Risk Never Sleeps Podcast Episode 101
Censinet, KLAS, and American Hospital Association Publish the 2025 Healthcare Cybersecurity Benchmarking Study
Censinet Appoints Cambrey Ware as Chief Commercial Officer
Censinet Announces Partnership with This Week Health’s 229 Project
Censinet and AHA Deliver Webinar on Navigating GRC, Cybersecurity, and Patient Safety in the Era of AI
Censinet Delivers New AI Cyber Governance, Risk, and Compliance Products and Capabilities at ViVE 2025
Censinet Announces AI Strategy and Infrastructure to Transform Cyber GRC in Healthcare at VIVE 2025
Censinet to Announce Early Findings from The Healthcare Cybersecurity Benchmarking Study, New AI Products at ViVE 2025

Categories

Slide 1

This is some text inside of a div block.
Text Link
fgh

Risk Never Sleeps Podcast Episode 101

Discover insights from Adam Rosen, CISO at Roswell Park Comprehensive Cancer Center, on healthcare cybersecurity, balancing research flexibility, governance, AI adoption, and patient data protection.

Read More >>
Forbes article

Stronger Together: A Response To Rising Systemic Risk In Healthcare

The cyberattack on Change Healthcare shows systemic risk in healthcare is real—where even brief disruptions can mean life-threatening delays in treatment, lost medication access, and diverted emergency care.

Read More >>
Beckers Health IT logo

5 ways to reduce 3rd-party cybersecurity risks, per 18 experts

Healthcare information technology security leaders from across the country have shared insights with Becker's regarding the most important steps for hospitals and health systems to take in preventing increased cybersecurity risks when working with th

Read More >>
Censinet Risk Assessment Request Graphic

Censinet RiskOps™ Demo Request

Do you want to revolutionize the way your healthcare organization manages third-party and enterprise risk while also saving time, money, and increasing data security? It’s time for RiskOps.

Schedule Demo

Sign-up for the Censinet Newsletter!

Hear from the Censinet team on industry news, events, content, and 
engage with our thought leaders every month.

Censinet Logo
Third Party Risk
Enterprise Risk
Provider Solutions
Vendor Solutions
About
Terms of Use | Privacy Policy | Security Statement | Crafted on the Narrow Land