Third-party risk management (TPRM) has become one of the biggest challenges in healthcare cybersecurity. Healthcare organizations depend on a large network of technology vendors, service providers, infrastructure partners, and business associates. The problem has only grown as providers and vendors introduce AI into healthcare environments, both in evaluating new AI vendors and in trying to understand how their existing vendors are adding AI capabilities after implementation. That makes third-party risk harder to manage through a one-time questionnaire.
It means that healthcare organizations must manage the risks associated with these technologies and monitor vendor performance over time. Failures in this area can create major disruptions, and you don’t need to look far to find major examples in and out of healthcare.
When we first began exploring TPRM more deeply, KLAS wanted to understand if current processes were helping organizations meaningfully reduce risk or helping them document that a process exists. So, we worked to determine whether organizations were managing TPRM effectively. Overall, what we have found and discuss in our new Third-Party Risk Management in Healthcare 2026 report is that many organizations have made progress on front-end diligence, especially with intake, questionnaires, contract review, and security assessments. The bigger gap is what happens after approval.
Points to Know
- TPRM maturity varies significantly from organization to organization. While some have established vendor intake and governance process, 27% are still developing formal governance structures.
- Most TPRM efforts focus on vendor approval, not ongoing oversight.
- Some healthcare organizations want stronger coordination and accountability. About a quarter of respondents believe that third-party risk has become too complex to manage alone.
- Proposed regulations won’t solve TPRM challenges alone. The proposed HIPAA Security Rule updates may strengthen security expectations, but organizations ultimately need collaboration among healthcare providers, vendors, TPRM solution providers, industry groups, and government agencies to build end-to-end risk management.
The Current State of Third-Party Risk Management
Initially, we assumed much of TPRM was driven by compliance requirements rather than actual risk reduction. The research largely supported that assumption, with some nuances. Many healthcare organizations are making real progress in building front-end processes that evaluate vendors before they are approved. Other, more mature organizations are bringing all stakeholders into the process earlier, when they can still influence contract terms, request evidence, and define safeguards.
But maturity levels vary widely across organizations. An organization may have a governance process in place, but that doesn’t necessarily mean it is mature. Some are still building the foundation; in our research, 27% of respondents are still developing formal governance structures at intake. Given the importance of AI and third-party risk, that’s a significant concern.
Organizations frequently ask whether they are doing enough.[1] Many are putting together AI governance committees, intake processes, or review workflows, but they are still trying to understand if those structures will meet their needs.
Meanwhile, many organizations are still managing third-party risk through manual, fragmented processes.Vendors are attempting to help, but most are limited because they only focus on one portion of what is effectively a multistep process. Most TPRM investments have focused on the front end of the vendor life cycle, including intake, questionnaires, evidence collection, and scoring. Those steps are important, but they do not fully address what happens after a vendor is approved.
Clearly, the TPRM market is active but still immature.
Proposed Regulations: Do They Align with Market Needs?
One of our most interesting findings was the industry’s growing interest in stronger regulation and increased vendor accountability. Traditionally, organizations have been hesitant to ask for more government involvement. However, a quarter of respondents said better regulation and vendor accountability are needed to further TPRM.
The proposed updates to the HIPAA Security Rule are relevant here because they would raise expectations for how covered entities and business associates protect electronic protected health information. They also include provisions that touch third-party risk, but the proposed updates would not fully solve the broader TPRM challenges. The issue is not only whether vendors have security controls in place; organizations also need a more connected operating model. They need a reliable source of truth for vendor risk, clearer ownership across the vendor life cycle, reusable evidence, visibility into meaningful vendor changes, and sustainable processes for follow-up, reassessment, and remediation.
In other words, regulation can help raise the floor, but it will not solve TPRM by itself. The future of TPRM will also require stronger collaboration between healthcare organizations, technology vendors, TPRM solution providers, industry groups, and government agencies.
An Evolving Industry
If I’ve learned anything in this research, it’s that healthcare organizations are no longer asking whether third-party risk matters; they know it does. Instead, the question is how to manage it in a sustainable way.
Many organizations are making progress on intake; they have a governance structure and are routing vendors through security reviews and collecting evidence before signing contracts. But healthcare organizations need more transparency into the entire life cycle in TPRM. That is where the market still has a lot of work to do.
As technology, AI, and vendor ecosystems continue to evolve, KLAS will continue to monitor closely the state of TPRM. In the meantime, I recommend reading the full report to learn more.
© Andrey Popov / Adobe Stock
[1] As a brief note, a new industry resource may help answer that question. The Health Sector Coordinating Council Cybersecurity Working Group recently released the Health Industry AI Cybersecurity Governance Framework Implementation Guide. In practice, it should help healthcare organizations establish cybersecurity governance frameworks around secure AI implementation. It provides a starting point for organizations still building AI governance. For those that already have a governance process in place, it can serve as a benchmark to identify gaps and strengthen oversight.
