Difficulties associated with the traditional approach:

Most organizations recognize the need to receive reasonable assurance that their vendors are able to safeguard their PHI. However, the number of vendor assessments to be conducted continues to grow, with many prospective vendors in the pipeline and existing vendors that haven’t been reviewed in a number of years. All this comes in an environment where the risk and consequences of a breach of PHI are significant and severe.

0. Establishing the cornerstones of a successful VSRM program

  • Determining an assessment approach  (e.g., standards based versus custom questionnaire)
  • Establishing ownership, stakeholders and processes
  • Determine the organization’s approach for determining and reporting risk
  • Determine the frequency and extent to which vendors are assessed

1. Profile

  • Identifying risky vendors and not just by spend or footprint
  • Determining which vendors to assess, as the volume is overwhelming
  • Determining when to reassess vendors
  • Determining which vendors actual handle sensitive information

2. Assess

  • Avoiding assessments that are stale
  • Ensuring results are addressed in a timely manner
  • Struggling to get accurate and transparent information from vendors
  • Struggling to identify a point of contact for the vendor that can address questions
  • Inability to keep up with the volume of assessments
  • Inability to respond to deadlines from the business

3. Manage

  • Inability to keep track and follow through on vendor commitments in a timely manner
  • Uncertainty about the expectations to set for vendors especially vendors not up for contract renewal
  • Ability to react to information gathered
  • Due to the resource constraints and volume of vendor assessments an organization must complete, many organizations lack the ability to react and remediate risks in a timely fashion.
    • Not reacting to this risk information can actually increase your compliance risk

4. Monitor

  • Inability to ensure that vendors are adhering to remediation strategies
  • Uncertainty about when to reassess vendors
  • Inability to determine when a vendor’s security posture changes.