Vendor Risk Management Guide

Assess and manage cybersecurity risks from third-party vendors, EHR providers, and cloud services your practice depends on.

Vendor AssessmentThird-Party RiskSupply Chain SecurityBAA RequirementsOngoing Monitoring

Why Vendor Risk Management Matters

60% of healthcare data breaches involve a third-party vendor. Your EHR provider, billing service, cloud storage, IT support company, and even your shredding service all have some level of access to your patient data. If any one of them is compromised, your practice is liable.

HIPAA requires covered entities to ensure their business associates adequately protect PHI. But compliance alone isn't enough — you need to understand the actual cybersecurity risk each vendor poses to your practice.

Types of Vendor Risk

Data Access Risk

Vendors who directly access, store, or process ePHI pose the highest risk:

EHR/EMR providers
Medical billing and coding services
Cloud storage and backup providers
Practice management software
Patient communication platforms (secure messaging, patient portals)

System Access Risk

Vendors with remote access to your systems can serve as attack vectors:

IT support and managed service providers (MSPs)
EHR support teams
Medical device manufacturers with remote monitoring
Security camera and access control providers

Physical Access Risk

Vendors who enter your facility and may encounter PHI:

Cleaning and janitorial services
Equipment maintenance technicians
Shredding and records destruction services
Construction and maintenance contractors

Vendor Assessment Framework

Tier 1: Critical Vendors (Full Assessment)

Vendors with direct access to ePHI or your core systems.

Assessment questions:

Do you encrypt all data at rest and in transit?
Do you require MFA for all employee access to our data?
What is your incident response plan? When were you last tested?
Do you conduct regular penetration testing?
Are you SOC 2 Type II certified?
Do you have cyber insurance? What are your coverage limits?
Where is our data physically stored? Is it exclusively in the US?
How do you handle employee termination and access revocation?
What is your data retention and destruction policy?
Have you experienced any breaches in the past 3 years?
Do you have a business continuity/disaster recovery plan?
Do you subcontract any services that involve our data?
What security awareness training do you provide employees?

Tier 2: Important Vendors (Standard Assessment)

Vendors with indirect access or limited ePHI exposure.

Assessment questions:

Do you have a signed BAA with us?
How do you protect any PHI you may encounter?
Do your employees receive HIPAA training?
Do you have a data breach notification process?
Is your system access logged and monitored?

Tier 3: Low-Risk Vendors (Basic Assessment)

Vendors with physical access only or minimal data exposure.

Assessment questions:

Are employees background checked?
Is there a confidentiality agreement in place?
Are employees trained on PHI recognition and handling?

Risk Scoring Methodology

Score each vendor on a 0-100 scale across these dimensions:

Dimension	Weight	What to Evaluate
Data Sensitivity	25%	Type and volume of PHI accessed
Security Controls	25%	Encryption, MFA, monitoring, patching
Compliance	20%	BAA, SOC 2, HIPAA compliance history
Incident History	15%	Past breaches, response quality
Business Criticality	15%	Impact if vendor is compromised

Risk Levels

0-30 (Critical): Immediate remediation required or terminate relationship
31-50 (High): Significant gaps, remediation plan within 30 days
51-70 (Medium): Some gaps, address within 90 days
71-100 (Low): Acceptable risk, monitor and reassess annually

BAA and Cybersecurity Alignment

A Business Associate Agreement (BAA) is legally required for any vendor that accesses PHI, but a BAA alone doesn't protect you. Your BAA should include: