How Whistic Transforms the Way Healthcare Providers Do Vendor Risk Management

July 19, 2018

Not only do healthcare organizations like hospitals, medical providers, pharmaceutical companies and even medical device manufacturers have to focus significant attention to ensuring compliance, they also have to take massive precautions to prevent cyber security attacks. Unlike nearly any other type of organization, human lives are on the line if a cyber attack affects instruments, technology, or if Protected Health Information (PHI) data is compromised or HIPAA regulations are violated. And since healthcare organizations have to rely on so many vendors and third parties for their software and supplies, that means there could be major gaps and red flags that executives aren’t even aware of.

Healthcare has been at or near the top of the list for industries at greatest risk of cyber intrusions over the past two years. According to HIPAA Journal, 2015 was a record year for healthcare industry data breaches. More patient and health plan member records were exposed or stolen in 2015 than in the previous 6 years combined, and by some distance. More than 113 million records were compromised in 2015 alone, 78.8 million of which were stolen in a single cyberattack. 2016 saw more healthcare data breaches reported than any other year. And in 2017, each stolen record cost organizations $380 (nearly 2x the global average!).

While healthcare organization are extremely regulated about who or what has access to PHI, having a vendor assessment program in place that allows your InfoSec and Compliance teams to track each vendor individually and instantly see what data they have access to, which is extremely important when it comes to compliance and monitoring risk associated with third parties. And as your healthcare organization puts valuable patient and organizational data into the hands of vendors, that means assessing your vendors and performing vendor security reviews as a way to determine their security posture is incredibly important to ensure nothing is compromised.

Whistic’s vendor assessment platform helps healthcare organizations of all shapes and sizes, from hospitals, medical providers, pharmaceutical companies and even medical device manufacturers and insurers, protect against vendor risk by identifying, assessing, and tracking vendors through their lifecycle. Here’s a quick look into how it works:

  • Identify: Your InfoSec and Compliance team can make more informed risk decisions by using a custom Whistic intake form or API integration to gather vendor information from internal stakeholders before a purchase is made. Use the platform on an ongoing basis to identify risks that arise at contract renewal or throughout the lifecycle of your vendor relationship — or turn on an integration via Whistic to continuously monitor your third party vendor relationships.
  • Assess: Your healthcare organization can discover potential cybersecurity threats before they have the chance to compromise your data, employees, or patients, and you can compare third parties against a set of predefined criteria by reviewing industry-standard or custom vendor questionnaires, documentation and metadata on an ongoing basis. Leverage a robust review workflow or opt for a more streamlined approach. With either choice, you can be up and running with Whistic in weeks, not months.
  • Track: Whistic allows you to centralize your vendor security information into a single source of truth so your InfoSec team can say goodbye to the painstaking manual, back-and-forth vendor assessment routine and adopt a dynamic, automated process. Store third-party vendor documentation, assessment details, past issues, contract information, contacts and any other custom data you’d like to track in an intuitive and easy to use interface. Report on all of this information through a robust custom reporting suite designed to help you unlock insights previously trapped in spreadsheets.

How Healthcare Organizations Can Benefit From a Whistic Security Profile

One unique cornerstone feature of the Whistic platform is the Security Profile, which is especially helpful for healthcare organizations that are highly regulated and compliance-driven. The Security Profile is not just a storage unit for security and compliance documentation, but a living, breathing record of your company’s security and compliance posture that you can use to respond to inbound security reviews from your auditors, customers, partners or prospects. With Whistic’s vendor assessment platform, your healthcare InfoSec or Compliance team can now conduct security reviews (traditional vendor risk management) and respond to security reviews in the same platform. This wholistic approach to both sides of the vendor risk assessment is setting a new standard for how third party vendor assessments will be completed in the future.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.

Request a Live Demo with a Whistic Product Specialist


Why Third Party Security is Critically Important

information security cybersecurity vendor risk management third party risk healthcare

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.