Risk Assessments

 View Only
  • 1.  Timing on assessments

    Posted 05-06-2020 11:31 AM
    I'm following along on how often assessments are performed. I have some questions on quantity vs risk level. In a healthcare environment most all external vendors have some form of PHI and are therefore classified as High Risk. Due to education, more and more vendors are being brought in for assessment. 2019 saw approximately 225 new vendors in the High Risk category, and this year is projected to be between 250-300 new vendors. Our current portfolio, with previously assessed vendors is expected to top 500 by EOY. We are managing to keep up with new vendors, but there is the need to go back and reassess older High Rick vendors. 
    Does anyone have any ideas to be able to keep up with this type of demand (other than adding staff or out-sourcing)?  We are about to add an eGRC platform to help automate, but beside that, any ideas? I don't even want to mention that the TPRM staff is also involved with the enterprise risk assessments, MU, HIPAA Security, and HITRUST self-cert (not included in the above numbers). 

    Thanks in advance.


  • 2.  RE: Timing on assessments

    This message was posted by a user wishing to remain anonymous
    Posted 05-06-2020 12:08 PM
    This message was posted by a user wishing to remain anonymous

     My organization manages its third party process via engagements (i.e.- contract- MSA, SOW, Change Order, etc.). We have roughly 500 high and critical engagements across 300 third parties. That number was significantly higher until we readjusted our scoring methodology to include number of records and individual data attributes collect then aligned our scoring to tolerated financial loss values. (i.e.- # of records x avg/cost per breach). If not already doing that it may be something to consider.