Healthcare organizations struggle to monitor vendors after approval: KLAS

 Seventy-four percent of healthcare organizations were affected by a third-party breach in the previous 24 months, yet many still struggle to monitor vendors after they are approved, a June 1 report from KLAS Research found.

Based on interviews with 46 individuals from 44 healthcare organizations, the report found that while provider organizations have become more mature in evaluating vendor risk during procurement and onboarding, ongoing oversight remains a significant challenge.

Here are 10 key findings from the report:

1. Interviewed organizations reported increasingly formal intake processes for reviewing new vendors, often involving procurement, legal, privacy and security teams. Many assess a vendor’s risk profile before contracts are finalized and review factors such as system access, data use and security safeguards.
   
   
2. However, KLAS found that investments in third-party risk management have largely focused on front-end diligence rather than ongoing lifecycle oversight.
   
   
3. Organizations reported difficulties maintaining reliable processes for reassessing vendors, monitoring significant changes and enforcing remediation efforts after implementation. According to the report, risk can emerge long after onboarding through product changes, security-control drift, business disruptions or inadequate follow-through.
   
   
4. Respondents identified several barriers to effective third-party risk management. The most frequently cited challenge was gaps in internal alignment, intake processes and governance structures, reported by 30% of organizations. Another 25% reported challenges related to vendor accountability, trust and assurance, while 20% cited staffing and capacity constraints. Limited visibility into vendor inventories and fourth-party risks was also a common concern.
   
   
5. Many organizations described third-party risk management as highly manual and difficult to scale. Even those with mature intake processes said the work requires extensive coordination across departments, repeated evidence collection and ongoing follow-up.
   
   
6. Organizations reported using multiple vendors to support different aspects of third-party risk management, including assessment intake, continuous monitoring, workflow management and advisory services. KLAS found that most organizations use vendors for specific portions of the risk management lifecycle rather than relying on a single end-to-end platform.
   
   
7. Meditology Services, also known as CORL Technologies, received the highest number of mentions among surveyed organizations. SecurityScorecard and ServiceNow were also frequently cited, while Deer Brook Consulting was reported as being used across the broadest range of third-party risk management categories.
   
   
8. Despite growing adoption of risk management tools, respondents did not identify a clear leader in addressing one of their biggest challenges: ongoing vendor maintenance and monitoring.
   
   
9. Organizations said they want stronger governance and procurement alignment, greater automation, centralized workflows and improved visibility into vendor risks throughout the lifecycle. KLAS concluded that future progress will depend on creating more connected risk management programs with continuous monitoring and clearer ownership after vendors are onboarded.
   
   
10. The report also found that healthcare organizations continue to own and manage third-party risk governance internally, even as they rely on outside tools and services to make those efforts more structured, scalable and sustainable.

https://www.beckershospitalreview.com/healthcare-information-technology/cybersecurity/healthcare-organizations-struggle-to-monitor-vendors-after-approval-klas/