By Heather Randall, PhD, Chief Compliance Officer, TrustCommerce, a Sphere Company
LinkedIn: Heather Randall, PhD
LinkedIn: TrustCommerce
In the digital healthcare space, every third-party vendor you work with introduces some form of risk. Providers depend on billing partners, claims processors, payment platforms, and countless others to keep operations running. That interconnectedness drives efficiency, but it also creates exposure. Sensitive data flows across systems every day, and it only takes one weak link to compromise patient safety and data privacy.
The financial stakes are just as serious. Healthcare breaches remain the most expensive of any industry, averaging $7.42 million per incident so far in 2025, according to IBM’s Cost of a Data Breach Report.
Organizations may assume that a signed contract or a certification means the security box is checked. But it’s not entirely true. Protecting patient data requires more than just the initial vendor diligence and onboarding. It also includes monitoring the data supply chain throughout the vendor relationship lifecycle. Protecting patient data really means asking vendors for clear answers and continuing to monitor them over time. The good news is that there are straightforward ways every healthcare organization can manage third-party risk more effectively.
1. Go Beyond PCI Compliance
Many vendors point to PCI DSS validation as proof of security. PCI is the Payment Card Industry Data Security Standard, and it’s essential for protecting credit and debit card data. But that’s all it covers. It doesn’t include the broader universe of protected health information and personally identifiable information that makes healthcare such a valuable target for attackers. If a vendor stops at PCI, it’s not enough.
Providers can ask vendors how they safeguard PHI and ePHI. Do they monitor for vulnerabilities? Are their practices aligned with HIPAA? These aren’t “extra credit” questions. They’re the baseline for deciding whether a partner deserves access to your patients’ data.
2. Look for Robust Certifications and Standards
Other certifications, like SOC 2 and HITRUST, will tell you more about how a vendor manages data security. SOC 2 evaluates controls around availability, confidentiality, and privacy. HITRUST is designed for healthcare and pulls in requirements from HIPAA, NIST, and other frameworks. Both are strong signals of trust, but only if you know what they really cover.
Don’t just accept a vendor’s certification at face value. Was their entire platform audited or only one system? How recent was the assessment? Will they renew their certification?
One other point: certification is helpful, but only if you understand what it actually covers. If you don’t, you risk assuming your data is protected when important areas may never have been tested.
3. Don’t Stop at the Contract
Healthcare providers sign business associate agreements (BAA) for good reason. Vendors often handle PHI, and the law requires that obligation to be spelled out. But while a BAA is important, it doesn’t mean you’re fully protected.
Providers still need to check in, preferably quarterly, or even monthly for those vendors handling highly sensitive data. Some specific questions to ask include:
- Do you regularly review and update your security policies or practices?
- Are your insurance coverages up to date?
- Have you had a recent HITRUST or similar data security or privacy assessment?
- What is your product roadmap, and do any changes affect how you’ll be handling data?
- Have you had a recent security breach?
These kinds of structured conversations help providers stay ahead of potential problems and ensure vendors remain accountable.
4. Understand Cascading Risks
When a vendor suffers a breach, the fallout rarely stops with them. Patients don’t care whether it was your partner or your hospital that slipped. From their perspective, it’s their data, and you failed to protect it. Regulators may also question your due diligence practices.
Fines, investigations, reputational damage – the consequences can pile up. That’s why ongoing monitoring matters. Cybersecurity scoring tools can help spot weaknesses early, but the real key is consistency. Organizations that make oversight a routine part of vendor management shrink their chances of being blindsided.
5. Pay Attention to Emerging Technologies
New technologies bring new opportunities, but they also add risk when vendors adopt them without clear guardrails. Generative artificial intelligence is a great example. A vendor may use AI to automate back-office tasks or analyze data, and in some cases, they may even use your data to train their models. But that isn’t always disclosed up front.
The risk isn’t only the technology itself. It’s the lack of transparency. Considering that 63% of organizations across industries have adopted AI without governance policies in place, providers need to review contracts and stay alert to how new tools are introduced. Make sure vendors can explain clearly how they handle patient data and what standards guide their security practices. And develop your own AI Governance and Acceptable Use frameworks to help direct your AI vendor selection.
Without that clarity, you could find yourself exposed to risks you didn’t expect.
The Bottom Line on Third-Party Risk
The good news is that third-party risk can be managed. By asking the right questions, checking in with vendors regularly, and watching how new technologies are put in place, organizations can reduce vulnerabilities and limit their exposure.
These steps aren’t designed to add complexity. They’re about creating a process you can rely on, one that strengthens security and protects the trust patients place in us.