3 Best Practices For Maturing Healthcare Third-Party Risk Management

Panelists discussed top third-party risk management challenges and best practices at the HealthITSecurity Virtual Summit.
Health-ISAC quote:
“Vendor partners often operate in multiple sectors, so they don’t always have an appreciation for HIPAA, and HIPAA is complex,” added Phil Englert, Health-ISAC’s director of medical device security.
– Third-party risk management (TPRM) remains a significant challenge for healthcare organizations of all sizes, as exemplified by the high volume of third-party data breaches reported to HHS in 2022.
As healthcare organizations continue to expand their network of vendors, existing TPRM strategies are falling short, experts at the 3rd Annual HealthITSecurity Virtual Summit articulated during a panel session.
“Our teams are not only being asked to know, internally, what our risks are and how to address them, but now we’re asking them to know what our partner’s risks are and how specifically to address them in our space, which is considerable,” said Monique Hart, chief information security officer and executive director of information security at Piedmont Healthcare.
“Today, we are looking at poor assessment strategies that don’t support actual remediation, long inefficient turnaround times, questionnaires that aren’t tailored to the specific environment, inconsistent results from analyst over-reliance on technology or external data, and maybe ineffective, inefficient vendor customer communication. That brings a whole lot of challenges.”
Solving these problems is not easy. That was the consensus from Hart and co-panelists Dee Young from UNC Health, Phil Englert from Health-ISAC, Inc., and Ryan Blaney from law firm Proskauer. Throughout their discussion about TPRM obstacles, the experts offered several best practices for maturing the TPRM process that healthcare organizations can begin adopting today.
Read the full article by Jill McKeon in Health IT Security here:
- Related Resources & News
- Health-ISAC Hacking Healthcare 2-3-2025
- Exploring the Cybersecurity Roles of Manufacturers and Healthcare Organizations During the Medical Device Lifecycle
- Impacts of Proposed US Import Tariffs on the Global Health Sector
- NY Blood Center Attack Disrupts Suppliers in Several States
- 2025 Newsletter – February
- DeepSeek’s Security Risk Is A Critical Reminder For CIOs
- Threat Bulletin: SimpleHelp RMM Software Leveraged in Exploitation Attempt to Breach Networks
- EU Commission Calls for Health Sector ‘Cyber Action Plan’
- How to Manage Cyber Risk of Medical Devices – for Life
- Health-ISAC Hacking Healthcare 1-24-2025