The digital transformation of healthcare has unlocked incredible opportunities to improve patient care and operational efficiency. However, it has also exposed a critical flaw in how third-party risk management (TPRM) is done across the industry.

As digital health technologies proliferate, so do the challenges for security teams tasked with vetting vendors. The traditional questionnaire-based vendor assessment model was long considered the gold standard for due diligence, but it is struggling to keep pace with the volume and complexity of today’s supply chains.

The chokepoint in the procurement process

Healthcare organizations rely on a vast ecosystem of vendors to power everything from telemedicine platforms to electronic health records. But with great reliance comes great responsibility: these vendors must be thoroughly vetted to ensure they won’t introduce vulnerabilities into the organization.

The sheer volume of vendors is overwhelming security teams. Requests for security due diligence assessments are coming in faster than they can be completed, creating a backlog that frustrates internal business owners waiting to onboard critical technologies.

This bottleneck not only slows innovation but also prevents teams from reassessing critical vendors as their technology evolves and threats change.

The vendor's perspective: A broken model

The challenges aren’t limited to healthcare providers. Vendors in the supply chain are equally overwhelmed by the inefficiencies of the current system. Every prospective customer requires some form of security due diligence, and there’s no industry-wide standardization.

Vendors often face

• Inconsistent questionnaires: Each customer has unique expectations, making it impossible to standardize responses.
• Moving goalposts: Security requirements vary widely across healthcare entities, leading to confusion and delays.
• Resource constraints: Vendors with finite security teams struggle to keep up with the growing volume of audits, leaving customers dissatisfied and deals unfinished.

The result is a broken system that delays procurement, frustrates both parties, and introduces unnecessary risk.

Reassessments: The forgotten priority

Adding to the complexity is the need to reassess critical vendors over time. Technology and threats evolve rapidly, and a vendor’s security posture today might not be the same six months from now. However, most security teams are so bogged down with initial assessments that they don’t focus on reassessments. This creates a dangerous gap in visibility and increases the likelihood of vulnerabilities slipping through the cracks.

How do we fix it?

If the traditional TPRM model is broken, how can we rebuild it? Here are a few key strategies.

1. Automate where possible

Leverage tools and platforms that automate aspects of vendor assessments, such as real-time monitoring of security postures, to reduce reliance on static questionnaires.

2. Adopt industry standards

HITRUST, with its risk- and threat-based approaches to security and compliance, provides a framework that can alleviate many of these challenges. Healthcare organizations and vendors can reduce inefficiencies and build a more robust TPRM program by leveraging HITRUST as a standardized assessment mechanism.

3. Join industry collaborators

The Health 3rd Party Trust (Health3PT) Initiative is a proactive group committed to reducing third-party information security risk with more reliable and efficient assurances. It has been established to evaluate, identify, and implement actionable and practical solutions that healthcare organizations can adopt to provide more reliable assurances, consistent information security program reporting, and better visibility into downstream relationships with third parties.

4. Implement continuous monitoring

Use continuous monitoring to track vendors’ security practices over time instead of relying solely on one-time assessments. This approach ensures risks are identified and addressed as they arise.

5. Enhance collaboration

Foster open communication between vendors and healthcare organizations to set clear expectations and establish mutual trust.

The path forward

Vendor risk management is at a breaking point in healthcare, but it doesn’t have to stay that way. We can reduce the burden on security teams and vendors alike by embracing automation, standardization, and continuous monitoring. Most importantly, we can create a TPRM program that balances efficiency with the need for robust security, ensuring that healthcare organizations can innovate safely while protecting patient data and trust.

The time for change is now. Let’s stop letting TPRM be a chokepoint and start using it as a competitive advantage.

The U.S. Department of Health and Human Services (HHS) has issued a Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule for the first time in over 20 years, aiming to address evolving cybersecurity threats and data breaches in the healthcare industry. HITRUST welcomes these updates and is committed to supporting healthcare entities in navigating these new compliance requirements.

In our official statement, we highlight how organizations with HITRUST certifications are already well-positioned to meet over 90% of the proposed requirements, thanks to our robust framework and commitment to comprehensive risk management. Our statement also outlines the challenges posed by the NPRM and provides actionable recommendations to ensure that the proposed regulations effectively enhance cybersecurity without introducing unnecessary complexities.

We invite you to explore our full statement to learn more about HITRUST’s perspective on the NPRM, our commitment to supporting the healthcare industry, and our continued efforts to drive meaningful advancements in cybersecurity.

Due diligence and security questionnaires have become staples of the vendor risk assessment process for third-party risk management (TPRM). However, as the cybersecurity landscape evolves, our tools must evolve, too. Due diligence questionnaires remain a necessary component but the overreliance on static security questionnaires has become a barrier to effective risk management.

The value of due diligence questionnaires

Due diligence questionnaires are designed to answer critical, relationship-specific questions.

• Scope of engagement: What data, systems, or services will the third party access?
• Compliance requirements: Are specific legal, regulatory, or contractual obligations tied to this relationship?
• Business impact: What is the potential operational or reputational risk if this third party is compromised?

These questions go beyond generic cybersecurity concerns, focusing on the unique aspects of the partnership. They help organizations understand the relationship and ensure that appropriate safeguards align with its specifics. Due diligence questionnaires are a necessary foundation for establishing trust and setting expectations.

The problem with security questionnaires

Security questionnaires often fall short. These standardized forms ask third parties to provide detailed information about their cybersecurity practices.

• How do they handle encryption?
• Do they’ve had recent audits?
• What are their incident response protocols?

While these are important topics, the format of traditional questionnaires introduces several issues.

1. Static and stale data

Security questionnaires provide a snapshot in time that quickly becomes outdated. A vendor might submit a completed questionnaire today, but their environment, controls, or threat landscape could change tomorrow.

2. Lack of context

These forms are often disconnected from the specifics of the relationship. For example, knowing that a vendor uses encryption is less relevant if the relationship doesn’t involve handling sensitive data.

3. Inefficiency

Completing and reviewing lengthy questionnaires is time-consuming for both parties, creating bottlenecks that slow down procurement and vendor risk assessments.

4. Checkbox mentality

Organizations may treat completed questionnaires as a substitute for meaningful engagement, creating a false sense of security without truly understanding the risks.

5. Expertise of analysts

Questionnaires are typically developed by the staff at the requesting organization. The staff may lack the expertise to evaluate control selection or even the ability to interpret the results/responses to the questions.

A better approach to TPRM

To move forward, organizations must reimagine the role of questionnaires in TPRM.

1. Use due diligence for context

Focus on due diligence to capture relationship-specific insights. These questions matter most for tailoring your risk management approach to the specific vendor or partner.

2. Replace static questionnaires with dynamic assessments

Instead of relying on static forms, leverage real-time threat intelligence, continuous monitoring, and assessments that incorporate threat data into the control selection to understand a vendor’s security posture.

3. Focus on collaboration, not compliance

Engage with third parties to address risks collaboratively. Move beyond filling out forms to having meaningful discussions about risks, mitigations, and shared goals.

4. Streamline where possible

Adopt frameworks and framework bodies that actively collaborate on reciprocity to reduce redundancy and streamline the process for vendors managing multiple client requests.

The bottom line

Due diligence questionnaires remain a vital part of TPRM because they provide relationship-specific details needed to assess and manage risks effectively. Security questionnaires, however, need a modern overhaul. By transitioning from static, checklist-driven approaches to dynamic, real-time methods, organizations can focus on what truly matters: building resilient partnerships that mitigate risks and enable business growth.

It’s time to retire the outdated questionnaire model and embrace a more effective, efficient, and adaptive approach to TPRM. After all, managing third-party risks isn’t about ticking boxes — it’s about protecting your organization in an interconnected world.