Third-party vendor risk management is not just a theoretical concern, but a real and pressing concern. As of January 2025, The United Health Care Group estimated the total financial impact of the 2024 Change Healthcare breach to be $3.09 billion which includes response and recovery costs, business disruptions, loans to providers, and a $22 million ransom.

You can take steps to protect your health care organization by utilizing vendor risk management frameworks and developing your own risk-management program.

Top 4 Risks with Third-Party Vendors

There are four main areas of potential risk when you work with third-party vendors. These are not only significant risks for your organization but also for your patients.

Cybersecurity Risk

Guard against the possibility of data breaches or leaks caused by improper security policies and measures on the third party’s end.

Compliance Risk

A third party not adhering to the necessary standards and regulations can damage your business’ reputation or legal standing. An association with a third party can also cause an organization to be out of compliance in policies or standards.

Financial Risk

Weigh the probability of third parties being unable to meet their obligations or otherwise jeopardize your organization’s stability.

Operational Risk

Third parties can create threats related to unforeseen process disruptions.

What This Means for the Health Care Industry

The US Department of Justice’s revised Evaluation of Corporate Compliance Programs guidance evaluates how effective a corporation’s oversight of third-party vendors based on criteria including:

• Third-party risk assessment
• Controls implemented
• Relationship management
• Compliance issue outcome tracking

Examples of Third-Party Vendors in the Health Care Industry

A third-party vendor is any ancillary organization outside the control of the entity that performs a function or provides a service that isn’t central to the operating purpose of the business. A supplier or service provider, however, isn’t always considered a third-party vendor.

Here are some examples of common third-party vendors for the health care industry.

Cloud Storage Providers

Cloud storage providers are becoming a crucial part of any health care organization’s daily operations. However, they can be a data breach risk, specifically for exposing protected health information (PHI).

This is primarily due to how these cloud storage platforms open an organization to unauthorized access to sensitive medical records. Ransomware attacks commonly target cloud infrastructure because of system vulnerabilities, which can result in data loss.

IT Service Vendors

IT service vendors are required partners, regardless of what industry your organization is in. However, they pose unique risks to the health care industry as their cybersecurity vulnerabilities are one of the primary entry points for hackers due to required system integrations.

This could result in ransomware attacks that could shut down your critical systems.

Medical Billing Companies

Medical billing companies gain access to sensitive patient financial and medical information and are therefore a key target for potential fraud and unauthorized data access.

This could result in sensitive data theft, ransomware attacks, and financial system vulnerabilities.

Payment Processing Services

If a payment processing vendor doesn’t have tight cybersecurity, an organization may have to worry about more than data compliance.

A vendor breach in this arena could result in the disruption of critical financial operations of your organization such as the inability to process insurance claims or payments.

Your First Step Toward Risk Management

A comprehensive approach to risk management includes both a security assessment and a compliance assessment:

• Security assessment. A security assessment evaluates the controls. Lack of appropriate security controls can lead to data breaches, loss of data, system vulnerabilities.
• Compliance assessment. A compliance assessment evaluates the adherence to regulations and standards. Lack of an effective compliance program can lead to legal and financial penalties.

Components of an Effective Compliance Program for Risk Management

Once you’ve completed your assessments, the next step is incorporate your findings into your compliance workplan.

Vendor oversight is considered an essential component of your organization’s compliance program. Here are the components to help for an effective compliance program:

• Policies and procedures
• Designated compliance office
• Training and education
• Effective lines of communication
• Internal monitoring and auditing
• Enforcement standards
• Prompt response to detected problems

When Vendor Risk Management is Required

There are a number of cybersecurity and regulatory compliance regulations and risk management frameworks that require third party vendor risk management practices.

Regulations include:

• HIPAA
• Payment Card Industry Data Security Standard (PCI DSS)
• HITRUST
• System and Organization Controls (SOC) 2® report
• International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) 27001
• National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)

Using the controls and requirements in these frameworks and regulations can jumpstart or enhance a vendor risk management program.

The goal for any organization is to move beyond a reactive, compliance-driven approach to managing third parties and build a proactive, risk-based program that protects patient data, ensures operational resilience, and supports the delivery of quality care.

We’re Here to Help

For help managing third-party vendors for your health care organization, contact your Moss Adams professional.

Additional Resources

• Health Care Consulting Services

• Cybersecurity Consulting Services