Cybersecurity is a growing concern in all industries. Almost one third of all data breaches are the result of third-party vendors. If that data is isolated to the healthcare industry, third-party vendor security incidence increase to over 40%.

Third-party vendors have significantly increase security risks which has increased the level of scrutiny outsourcing is given by auditors and examiners.

To control this risk, third-party vendor management must move from its identity as a compliance issue to an information security best business practice.

Today’s Third-Party Vendor

What is a third-party vendor? A third-party vendor is defined as any entity outside of the company providing outsourced services or outsourced products for the company. Outsourcing to a third-party vendor is utilized for several reasons including cost control, risk mitigation, performance management and compliance. 

While outsourcing functions to third-parties has become very common today, the responsibility cannot be outsourced. The FFIEC Outsourcing Technology Services Handbook clearly state the Board of Directors and management are still responsible for overseeing all outsourcing relationships. That responsibility includes the implementation of an effective Vendor Management Program. The Office of Civil Rights is responsible for auditing hospitals enforcing significant fines for non-compliance of vendor management.

Vendor Management Made EASY

An effective Vendor Management & Business Associate Management Program will identify, measure, monitor and control risks introduced by third-party vendors. The program should focus on five primary areas of vendor management.

#1 Planning

The planning phase will establish service requirements. Considerations will include identification of security risks associated with outsourcing and mitigation of those risks. The volume of information and criticality of the service are major considerations during the planning phase.

#2 Due Diligence & Third Party Selection

The extent of due diligence during the selection phase should be in direct proportion to the criticality of the service to be provided and the confidentiality of the information of the service. Completing a Risk Assessment of the vendor will assist criticality of the vendor.

Click here to download our Approved Vendor Due Diligence Matrix to assess risk introduced by a third-party relationship.

#3 Contract Negotiation

Contractual agreements will establish the relationship between the company and the third-party vendor. Agreements will define the rights and responsibilities of both parties as well as establishing service level requirements, confidentiality, pricing and term of services provided. For more details on contract consideration for outsourced technology services, refer to FFIEC Outsourcing Technology Services Contract Issues.

#4 Ongoing Monitoring

All third-party relationships should be reviewed on a regular basis. The frequency and extent of this review will vary depending on the criticality of service provided and confidentiality of the information within the service. The Risk Assessment completed in Step #2 will provide guidance for the level of ongoing due diligence for third party vendors. Reviews for critical vendors should include a review of the financial stability of the vendor, disaster planning to ensure their availability for business continuity, and network security audits if critical data is stored on their network.

#5 Termination

Whether it is a problem with service delivery or change in service needs, third-party vendor relationships will change. Be aware of contract termination requirements.

Third-Party Vendor Documentation

It goes without saying that all third-party vendor documentation must be available when auditor or examiners come calling. What about a disaster event? Recent disasters have wiped out entire buildings and communities. Will you have access to your vendor management documentation in the event of a catastrophic disaster? Create a storage plan, whether it is paper or digital, which will ensure access to vendor management information when responding to a disaster. Access to outsourcing relationships are crucial for business continuity.


The Approved Vendor Due Diligence Matrix will provide the assistance you need to reduce the risk of third-party vendor relationships. You can download your copy here.

If you prefer to outsource vendor management, contact us at 573-335-5157 or