Third-party risk management (TPRM) is no longer a nice-to-have in healthcare; it’s a strategic necessity.
Healthcare organizations are under growing pressure to manage third-party risk more effectively. High-profile incidents like the Change Healthcare breach have shown just how deep the ripple effects of a vendor issue can run; impacting operations, financial systems, and patient care across the industry. What began as a manual, spreadsheet-heavy process is now transforming into a strategic, multi-phase effort to assess risk and act on it.
As cybersecurity threats expand and become more complex, healthcare organizations must go beyond just checking the box. Tamra Durfee, vCISO at Fortified Health Security, outlines a three-phase progression that defines where healthcare systems have been and where they need to go to reduce the risk.
TPRM Phase 1: The Spreadsheet Era – Inefficiency at Work
In the earliest stages, TPRM was a completely manual process. Hospitals relied on spreadsheets and customized questionnaires to assess vendor risk. Each organization crafted its own questions, emailed them to vendors, and managed responses in a fragmented, version-heavy workflow.
This approach was inefficient and overwhelming for both sides. Vendors were inundated with hundreds of unique assessments, while hospitals struggled to track versions, score risks, and follow up on findings let alone remediate them.
“It was all very manual,” Durfee explains. “Spreadsheets, versioning control, emailing vendors, following up; it just wasn’t scalable.”
Even those with “fancy” spreadsheets and internal scoring systems found that the manual nature of the process limited their ability to act on risks meaningfully.
TPRM Phase 2: Platform Standardization – A Better, But Incomplete Tool
The second phase introduced TPRM platforms. These web-based tools helped standardize questionnaires, automate communication, and centralize documentation.
These platforms were a significant efficiency leap forward, relieving hospitals from crafting customized questions and reducing the vendor burden by consolidating formats.
Now, both sides could collaborate in one place, with features like auto-reminders and centralized risk tracking. However, Durfee shares a significant gap remained: actionability. “So now you know about the risks. You can track them better. But what are you going to do about it?”
Even with platforms, many organizations still weren’t reducing risk. The tools helped gather data, but they didn’t solve the problem of what came next: remediation. This phase often resulted in “checkbox compliance,” where risk was assessed but unresolved.
TPRM Phase 3: Risk Reduction – The Push for Remediation
Today, leading organizations are entering a third phase: risk remediation. Identifying third-party risks is no longer sufficient. Instead, hospitals must be equipped and resourced to push vendors to resolve them. This is where TPRM programs become transformative. They require continuous follow-up, contractual leverage, and even collaboration with peer hospitals using the same vendors.
Durfee described a case where a vendor lacked multi-factor authentication (MFA) for privileged access. Dropping the vendor wasn’t an option, so over a year of pressure, coordination, and escalation (with support from other hospitals) led to eventual remediation.
“It’s not enough to know the risks,” she explains. “We have to push vendors to fix them. That’s where real risk reduction happens.”
Some organizations are also turning to TPRM services, especially when internal staffing is limited. Services that track risks and work directly with vendors to resolve them are becoming essential to closing the loop between assessment and action.
3 Must-Ask Questions When Evaluating TPRM Solutions
Once you’ve reached the point where it’s time to invest in a TPRM solution, the big question becomes: what should you actually look for? In healthcare, where risks are complex, and few solutions are purpose-built, that answer matters.
Most tools were not designed with healthcare in mind, and even fewer drive real risk reduction. Here are three critical questions Durfee recommends asking to help you find a TPRM solution that truly fits your healthcare organization’s needs:
1. Is the solution healthcare-specific—and how experienced is the vendor in healthcare?
Not all TPRM platforms are created with healthcare in mind. Given the complexity and interconnectedness of hospital networks, especially with medical devices, you need a solution that understands the clinical environment.
What to ask:
- How many healthcare clients do you serve?
- Have you assessed the risk for medical devices?
A vendor unfamiliar with these elements likely isn’t equipped to manage your organization’s unique risks.
2. Do you need a tool, a service, or both—and do you have the resources to use them effectively?
Buying a tool without the internal capacity to operate it is like upgrading from Excel to a web app but expecting it to solve your resourcing problem.
What to ask:
- Do we have dedicated staff to run the program?
- Will a service help us truly move the needle on risk reduction?
If your team is stretched thin, a managed service may be necessary to achieve real impact—not just operational efficiency.
3. What’s the plan for vendor follow-up and accountability?
Identifying third-party risks is only the first step. Whether you manage the program in-house or through a service provider, ensure there’s a clear process for vendor remediation.
What to ask:
- Does the solution include follow-up workflows or support?
- How will we hold vendors accountable for addressing risks?
Without consistent follow-through, your risk assessments won’t lead to meaningful change.
How to Move Forward in TPRM Maturity
The evolution of TPRM mirrors the cybersecurity maturity curve across healthcare. It started with compliance and is now shifting toward resilience. For healthcare organizations still stuck in spreadsheet mode, Durfee offers encouragement:
“There’s hope. Every incident, every headline, is a chance to move forward. Keep making the case.”
If you want to learn more about a TPRM solution that could be a fit for your healthcare organization, contact Fortified Health Security today.
