I'm following along on how often assessments are performed. I have some questions on quantity vs risk level. In a healthcare environment most all external vendors have some form of PHI and are therefore classified as High Risk. Due to education, more and more vendors are being brought in for assessment. 2019 saw approximately 225
new vendors in the High Risk category, and this year is projected to be between 250-300 new vendors. Our current portfolio, with previously assessed vendors is expected to top 500 by EOY. We are managing to keep up with new vendors, but there is the need to go back and reassess older High Rick vendors.
Does anyone have any ideas to be able to keep up with this type of demand (other than adding staff or out-sourcing)? We are about to add an eGRC platform to help automate, but beside that, any ideas? I don't even want to mention that the TPRM staff is also involved with the enterprise risk assessments, MU, HIPAA Security, and HITRUST self-cert (not included in the above numbers).
Thanks in advance.