How often do you rely on a third-party vendor to conduct a business function? Every day or, perhaps, every hour?  

Third-party vendors are an integral part of a business. Organizations rely on them for many services, from processing payments to providing hardware and automating operations. If your organization is growing, your number of vendors is growing, too.  

But have you thought this indeed increases your data exposure? 

Third-party vendors increase cyber risks 

Your risk amplifies as more and more third parties access your systems and data. These vendors use your sensitive data to perform critical business functions. However, if any of these vendors is breached, attackers can gain direct access to your business data and misuse information about your customers and employees.  

So, how do you ensure your vendors have strong security programs before giving them access to sensitive data?  

Third-party risk assessment is crucial to identifying the strengths and weaknesses of your vendors’ security programs. Traditionally, organizations have used multiple tools and tactics to evaluate third-party risks. But these tactics are far from being effective.  

Cybersecurity questionnaires have been one of the popular tactics. Questionnaires are tedious and unreliable. They consume a lot of staff hours, refraining your teams from focusing on more critical tasks. If your teams send out questionnaires, they spend hundreds of hours coordinating with vendors, evaluating answers, and following up on incomplete responses. Furthermore, there is no accurate way of verifying the information provided by the vendors in the questionnaires.  

Organizations need a better third-party risk management (TPRM) program, and that’s why they choose HITRUST.  

HITRUST helps organizations demonstrate trust  

HITRUST offers reliable assurances that are based on its framework, HITRUST CSF. The HITRUST CSF harmonizes best practices from more than 50 authoritative sources. It is widely accepted and transparent as it allows you to verify the sources of the controls. The cyber threat-adaptive HITRUST CSF is updated regularly to help you protect against upcoming threats.  

Not all your vendors need to undergo the comprehensive HITRUST r2 assessment. Based on their needs, size, and risk profiles, HITRUST offers different assessment options. The HITRUST e1 is suited for small vendors or those with limited inherent risks. It also serves as the ideal option for vendors looking to demonstrate a milestone on their journey to a more robust certification. HITRUST i1 is best for mid-level vendors looking for an assessment between the basic e1 and the extensive r2.   

HITRUST makes vendor risk management efficient 

HITRUST offers additional solutions to make vendor risk management efficient. The HITRUST Assessment XChange coordinates with vendors to track assessments and Corrective Action Plans (CAPs) so you don’t have to worry about exchanging hundreds of emails and phone calls. It helps your vendors understand expectations and maintain the right level of certifications.  

The HITRUST Results Distribution System (RDS) makes exchanging results easier and more secure. It helps you manage multiple third-party vendors simultaneously and analyze their results accurately.  

Learn more about how you can make vendor risk management more effective and efficient with HITRUST.  

HITRUST has submitted a letter to the incoming administration and key Congressional Committees regarding proposed modifications to the HIPAA Security Rule. This comes in light of proposed legislative measures aimed at improving the cybersecurity posture of the healthcare industry.

Despite existing regulations and guidelines, the healthcare sector continues to face direct and opportunistic targeting, with ongoing attacks impacting vital patient care and trust. While HITRUST believes in and aligns with the Department of Health and Human Services and Congress on the shared objective that healthcare organizations must manage information risk effectively and guidelines must be established based on the healthcare organization’s overall risk posture and be proven through compliance systems, it is critical to revisit the outdated and incomplete approaches historically used to address cybersecurity risks in healthcare.

HITRUST’s letter emphasizes the need to rethink these approaches and recommends leveraging proven, scalable models that enhance security outcomes while avoiding inefficiencies or unnecessary complexity. We believe that substantial improvements in cybersecurity can be achieved through actionable strategies and tools, not just compliance.

A key recommendation from HITRUST is addressing a significant design flaw in the HIPAA Security Rule. Currently, the Rule fails to effectively reduce risk because it lacks relevant, clear, and prescriptive guidelines for controls and assurance. The result is inconsistent implementation and lack of objective measurement, preventing meaningful risk management.

HITRUST’s 17 years of experience, along with insights from our 2024 Trust Report, demonstrate the effectiveness of comprehensive risk management strategies. Only 0.64% of HITRUST-certified environments reported breaches over the past two years — proof that robust risk management can yield substantial security outcomes with the right strategies and tools.

We invite you to read our letter to learn more about how HITRUST is advocating for practical, impactful changes to safeguard the healthcare system.

- Ryan Patrick, VP of Adoption, HITRUST 

Third-Party Risk Management (TPRM) is supposed to be the bedrock of securing organizations from the risks posed by external vendors and business partners, but the current system is fundamentally broken. This becomes painfully clear when we examine three of the most critical pain points: the low quality and variability of SOC 2 reports, the inefficiency of questionnaires, and the lack of reciprocity between governing bodies. 

SOC 2 Reports: A Quality Crisis 

SOC 2 reports are often regarded as the “go-to” standard for assessing the security controls of third-party vendors because of their wide adoption across all industries. Yet, the quality and reliability of these reports can vary dramatically. Some SOC 2s are meticulously detailed and provide actionable insights into a vendor's security posture. However, many others are shallow, missing critical information, or worse, relying on outdated practices that no longer align with today's threat landscape. The control selection is purely up to the organization being assessed. Furthermore, there is a race to the bottom with “SOC in box” firms pencil whipping reports at the lowest cost possible. The variability of these reports erodes trust.  

What is the point of asking for a SOC 2 if you can’t guarantee a consistent standard? SOC 2 reports will remain an unreliable cornerstone in TPRM until there is a way to enforce more uniform, higher-quality reporting. 

The Questionnaire Bottleneck 

The next pain point is the inefficiency of vendor questionnaires. In theory, these should help organizations get a clearer understanding of a vendor’s security practices. In reality, they’ve become a bureaucratic nightmare. Security questionnaires are often long, repetitive, and rarely tailored to the specific risks posed by a particular vendor. Worse yet, vendors receive dozens, sometimes hundreds, of these questionnaires, leading to inconsistent or hurried responses. It’s not uncommon for vendors to send recycled answers that don’t address the nuances of the questions asked. This "checkbox" approach is inefficient for both sides and doesn’t provide the insight to make informed risk decisions. 

It’s even more troubling that the organizations requesting the security questionnaires often lack the time, expertise, or resources to assess the answers they receive thoroughly. Most companies don't have dedicated teams or the specialized knowledge required to interpret the responses and probe deeper into potential vulnerabilities. As a result, the due diligence process often becomes superficial, with organizations relying on incomplete or misunderstood information. Organizations may unwittingly expose themselves to greater vulnerabilities instead of truly mitigating risk.  

Reciprocity Between Governing Bodies: A Missing Link 

One of the biggest systemic failures in TPRM is the lack of reciprocity between governing bodies and frameworks. We have SOC 2, ISO 27001, NIST, and a host of other frameworks, all serving slightly different functions but ultimately aiming at the same goal: reducing risk. However, organizations are forced to undergo multiple, redundant audits and assessments as there’s little reciprocity between these frameworks. Vendors end up in a web of overlapping requirements, increasing the time and cost of compliance without adding meaningful value to security. The industry needs a system of mutual recognition, where frameworks work together to streamline the risk management process, creating a unified standard that works across sectors and regions. 

A Call for Change 

TPRM is in dire need of reform. Although SOC 2s serve a specific purpose within an organization, they were not designed for TPRM and should not be used for this purpose. Questionnaires must become more focused on the relationship between the two organizations and should stop there. Relying on industry-recognized risk-based assessments/certifications and getting rid of questionnaires lead to streamlined processes and reduced risk profiles. Finally, there must be reciprocity and collaboration between governing bodies to eliminate redundant processes and create a more efficient, effective approach to managing third-party risks. 

The current system is broken, but with concerted efforts from industry leaders, governing bodies, and security professionals, we can rebuild TPRM into a process that truly protects organizations without wasting time or resources.