Close Widget

During a recent webinar that SureCloud’s North America GRC team hosted, ‘Why Your Vendors Are Your Biggest HIPAA Risk’, we asked attendees why they thought Vendor Risk Management Practices haven’t matured in the healthcare industry the way they have in other sectors, such as financial services or retail. Here is how the responses were ranked:

  • 58% – Leadership is unaware of the risks
  • 22% – Lack of audit/penalty enforcement
  • 15% – Lack of resources internally
  • 5% – Lack of expertise internally

Leadership is Unaware of the Risks

The response data shows that most of our attendees believe healthcare leaders are unaware of the risks that vendors pose to their practice and patients. Something to consider in response to this is how risk information is currently being communicated to management. As risk professionals, it’s often our job to frame risk in a way that will motivate our leaders to take or approve the appropriate mitigation action. Vendor risk is no exception. Being able to effectively quantify the security and privacy risk that a third party introduces to your practice and your patients is the first step. Technology solutions can help standardize how vendors are assessed and scored. That data can then be modeled using reports and dashboards to help you tell a visual story of risk and potential exposure to the organization.


Lack of Audit/Penalty Enforcement

Second place goes to lack of audit occurrences or penalty enforcements from the OCR. While it’s true that OCR audits are on the decline and fines have been cut significantly, this response highlights the compliance-oriented nature of many healthcare security and privacy programs–often at the expense of effective risk management. In fact, this deregulation inherently increases the risk to providers, payers, and patients. If your vendors know that the OCR isn’t going to come knocking on their door to audit and impose fines anytime soon, chances are they might not be prioritizing the security and privacy of your patient’s ePHI. All the more reason for you to strengthen your vendor assessment techniques–and your business associate agreements!


Lack of Resources & Expertise

Finally, lack of resources and expertise join forces to form the final culprit that 30% identified as roadblocks to effective vendor management. These can be tough to overcome without the right tools to support the organization. With hundreds of vendors & business associates, the vendor management process can become overwhelming for many healthcare institutions–especially those short on resources and expertise. This is where an intelligent, automated third-party risk management workflow solution like SureCloud can be an absolute game-changer. With standard question sets and risk calculation, expertise can be built into the solution and administered by virtually anyone. Automating the coordination of assessments, remediation actions, and risk communication to the business ensures that your organization’s limited resources aren’t slowed down with the manual administrative minutia.

If you’re ready to take your third-party risk management process to the next level and kick spreadsheets to the curb, contact me for a demo of SureCloud’s Third-Party Risk Manager solution at or


Missed the webinar? Watch it on demand for FREE here.


About SureCloud

SureCloud is a provider of cloud-based, Integrated Risk Management products, which reinvent the way organisations manage risk. SureCloud’s products and services are underpinned by a highly configurable technology platform, which is simple, intuitive and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to support existing business processes without forcing organisations to engage in costly business change programmes. SureCloud has been recognised in the 2019 Gartner Magic Quadrant for Integrated Risk Management Solutions.

How can we help?