Organizations struggle with third-party risk management after vendor approval

Third-party risk management is a well-known pain point for healthcare organizations. According to a 2025 study by KLAS Research and EY, 74% of healthcare organizations reported being impacted by a third-party data breach in the past 24 months. The latest KLAS report on the subject shows that while TPRM strategies are continually maturing, healthcare organizations still struggle to oversee risk across the lifecycle of their relationship with a given vendor.

"Respondents typically don't have reliable, repeatable processes for ongoing oversight; tasks such as following up, reassessing, monitoring for significant changes, and enforcing remediation are difficult to sustain," the report noted.

"As a result, many organizations are still working to build the capabilities needed to maintain trust throughout the vendor life cycle -- after solutions are approved, implemented, expanded, renewed, and embedded in operations. This gap is significant given healthcare organizations' reliance on a broad network of external partners."

KLAS interviewed 44 organizations, including health systems, standalone clinics, payers and an accountable care organization, about their TPRM strategies. The interviews exposed a trend in which healthcare organizations see a vendor as acceptable during contracting and onboarding, only to discover significant risks later, such as product changes, poor communication and business disruption.

Respondents largely reported that vendor maintenance was too much to handle on their own. Reliance on questionnaires, SOC 2 reports and other security attestations can only go so far, as there is often a months-long gap between the initial vendor assessment and implementation of the tool, the report noted.

Some organizations have turned to vendors such as Bitsight, Meditology Services and SecurityScorecard to provide ongoing maintenance in the form of continuous monitoring, breach alerts and external security posture tracking.

"Many of the challenges that organizations report are a result of the highly manual nature of current-state TPRM, which organizations aren't equipped to sustain," the report stated. "Even in organizations with relatively mature intake processes, TPRM efforts require cross-team coordination, repeated evidence collection, follow-up, and ongoing documentation."

Gaps in internal alignment, intake and governance, vendor accountability and capacity and staffing constraints were among the top-reported challenges in TPRM among respondents.

AI could play a role in alleviating some of the manual review processes, the report suggested. Respondents reported using Drata, OneTrust, ServiceNow and UpGuard to streamline workflows, sometimes leveraging AI-assisted document review tools.

Still, budget and staffing constraints limit healthcare organizations' ability to keep a close eye on vendors, especially for smaller organizations. Larger organizations face challenges with scale and coordination.

"Interviewed organizations use a range of TPRM vendors, but most are applied in a piecemeal fashion to support specific parts of the life cycle rather than as end-to-end solutions," the report added.

"Only a few vendors are used across multiple stages of TPRM. As a result, there can be issues with connecting intake, evidence collection, monitoring, reassessments, and accountability; respondents want a seamless experience in which a TPRM vendor improves workflows."

Notably, organizations are not outsourcing TPRM governance. However, they are using vendors to make TPRM more sustainable and scalable, albeit for select use cases. Deer Brook Consulting was used most widely among respondents and across use cases such as contract and procurement, assessment intake and continuous monitoring. Other vendors, like ServiceNow, were mentioned frequently for contract procurement use cases, while UpGuard was most frequently mentioned for assessment intake and continuous monitoring.

Just two of the 32 vendors mentioned in the report were used for AI governance and software transparency.

Respondents were clear about what they want from TPRM in the future, including stronger governance, a centralized platform, lifecycle visibility and increased automation. However, they also acknowledged the significant changes that are needed to further TPRM: better regulation and vendor accountability, vendor transparency, a shared framework and shifts in organizational alignment.

Jill Hughes has covered health tech news since 2021. Her coverage areas include cybersecurity, HIPAA compliance, interoperability, AI and EHRs.