CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 02, 2026

Why Firms Struggle With Vendor Security After They Sign

Data Breach Today Archived Jun 02, 2026 ✓ Full text saved

Study: Monitoring Vendor Risk Remains Much Harder Than Onboarding Third Parties Healthcare organizations are getting better vetting third-party vendors, including suppliers of medical devices, software and other products. But once these vendors are on board, healthcare firms still struggle with monitoring their security posture and ensuring they keep their promises.

Full text archived locally
✦ AI Summary · Claude Sonnet


    3rd Party Risk Management , Governance & Risk Management , Healthcare Why Firms Struggle With Vendor Security After They Sign Study: Monitoring Vendor Risk Remains Much Harder Than Onboarding Third Parties Marianne Kolbasuk McGee (HealthInfoSec) • June 1, 2026     Credit Eligible Get Permission Healthcare organizations struggle to manage the security-related risks of their third-party vendors once they've been onboarded, says a new study from research firm KLAS. (Image: Getty Images) Healthcare organizations are getting better vetting their third-party vendors, including suppliers of medical devices, software and other products and services. But once these vendors are on board, healthcare firms still struggle with monitoring their security posture and ensuring they keep their promises, according to a new study. See Also: Reduce Cloud Risk in Healthcare with Security by Default Research firm KLAS on Monday released a report based on interviews with 44 healthcare sector organizations - ranging from large health systems and payers to standalone clinics and hospitals - about the most pressing third-party risks they face and how they manage those challenges. KLAS sought to examine third-party risk management issues in healthcare more closely after its report in November 2025 with Ernst & Young found that three-out-four healthcare sector organizations had experienced a vendor breach in the previous 24 months. Of the 44 healthcare sector organizations interviewed for the new research, 28 firms - or nearly 67% - said they used third-party risk management tools from outside vendors to help manage their vendor risks, while 16 organizations, or about one-third, reported managing third-party risk primarily on their own. Regardless of whether a healthcare organization relies heavily on third-party risk management tools or not, KLAS found that the majority of organizations have focused on front-end vetting of vendors, rather than ongoing life-cycle oversight of critical vendors. "While a vendor may appear acceptable during initial evaluation and onboarding, risk can emerge later due to control drift, product changes, poor follow-through or business disruption," KLAS wrote. "The consequence of weak life-cycle oversight isn't just administrative inefficiency. It can negatively affect continuity, accountability and confidence in the systems that support patient care." Overall, the surveyed healthcare organizations typically reported lacking "reliable, repeatable processes for ongoing oversight; tasks such as following up, reassessing, monitoring for significant changes and enforcing remediation are difficult to sustain," KLAS found. "As a result, many organizations are still trying to build capabilities needed to maintain trust throughout the vendor life cycle - after solutions are approved, implemented, expanded, renewed and embedded in operations," KLAS wrote. Even when healthcare organizations use tools to support third-party risk management activities, many are often dealing with other challenges - including resource restraints such as staffing and budgets, or the inability to scale vendor coordination - that impair their efforts to effectively and thoroughly manage vendor risk, KLAS said. "The biggest theme is that healthcare organizations have gotten better at front-end vendor intake and approval, but ongoing oversight is still hard," said Jaren Day, group director at KLAS' insights team and one on the authors of the report. "Organizations are struggling with vendor access management, enforcing cybersecurity requirements in contracts, dependence on high-risk vendors with limited alternatives, inconsistent vendor assessments and limited internal resources," he said. Steven Adler, a partner at consulting firm The Edmund Group and a former risk management executive at health insurer Humana, said healthcare organizations typically face four fundamental challenges with in third-party risk management. One key area is a lack of executive advocacy. "In many companies, TPRM is three or four layers down buried within IT, compliance or operations and doesn't receive the right sponsorship and funding by leadership," he said. "With this lack of executive support, vendor oversight is loosely managed from a distributed model, creating a host of additional issues to the organization." Secondly, there often "non-traceability" of protected health information, including that handled by third parties. For instance, patient data is not meta tagged at the point of being onboarded, and is therefore often not traceable when an incident occurs. "Within the healthcare ecosystem, consumer protected information is processed and stored within numerous assets and shared between payers, providers and vendors. As a result, most covered entities and business associates lose accountability and control of health plan member and patient protected information," he said. Healthcare organizations also frequently lack a vendor risk tiering model, Adler said. "Healthcare organizations that maintain a large vendor portfolio in many cases do not have a disciplined approach to prioritizing their vendors based on specific criteria and measures," he said. "Not all vendors are created equal and if not, there needs to be a framework to support your vendor risk tiering assignments," he said. Finally, there's often a lack of "target hardening controls," that organizations require and track such as data loss prevention, multifactor authentication and encryption, he said. While most healthcare organization struggle with oversight of their HIPAA business associates and other critical third-party vendors, the problems are often most profound for smaller healthcare organizations - which make up vast majority of healthcare providers in the U.S., said regulatory attorney Paul Hales of the Hales Law Group. "Ninety percent of healthcare organizations are classified by the government as small businesses," he said. "Small healthcare organizations are the most vulnerable and also enable criminals to access large ones," because of the interconnected nature of healthcare delivery, he said. Nonetheless, regardless of a healthcare organization's size, senior management and boards of directors are fully responsible for information security, including breaches that center around third-party vendor incidents, he said. "Sound business and ethical standards demand that they pay close attention now, as cybercriminals and class-action plaintiffs have for years."
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    Jun 02, 2026
    Archived
    Jun 02, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗