Jaren Day
Today we’re talking about third party risk. Let’s get started! When we talk about cyber risk, most people picture hackers breaking into systems. But the biggest threat for health care organizations today may come from the companies that we rely on every single day.
You’re looking at your payroll providers, your cloud services, your claims processors, your medical device manufacturers. These are all our third parties. And when they go down, we can go down in health care as well. Over the last year, we’ve been listening to healthcare leaders across the country on this issue. The message is clear. Third party risk is no longer just a security problem. This is a business problem. And we’ve seen it firsthand.
A single outage at a vendor can stop your paycheck from getting to your employees. It can delay appointments for patients. You can get your clinicians locked out of the tools that they’re trying to use. And one executive shared with us during this research that everything works until it doesn’t, and then it just becomes chaos.
In many of the conversations we’ve had, leaders have admitted that their current approach to third party risk is focused on paperwork and checklists, not on making sure that care continues when a partner fails.
That gap is why we want to bring this conversation to the executive level.
Leaders have highlighted with KLAS that there are three blind spots that executives should be aware of.
First, operational continuity. Most organizations assume that vendors will always be available, until they aren’t. Second, prioritization. We often treat vendors the same, even though only a small percentage could bring our operations to a halt. And third, fragmentation. Different departments rely on vendors. IT security, operations, finance—everyone evaluates the vendor separately.
No one sees the full picture. That’s how healthcare ends up spending months on low-risk vendors while missing the real points of exposure.
So, what does better look like? Imagine this. You have a clear, shared dashboard that shows vendors that are truly critical to your hospital or system, what the business impact would be if they went offline, and what contingency plans exist.
Think about your payroll, your claims, your scheduling—the lifeblood of your operations. For those vendors, you want backup processes in place and tabletop exercises to make sure they actually work. For everyone else, a lighter approach can be fine. This is about aligning attention and investment where it matters.
There’s also an important message for vendors. Health care needs more than a compliance report. They need real transparency into how you support them when things go wrong. Some forward-thinking vendors are drafting contingency playbooks for their clients, outlining exactly what they’ll do in the event of an outage.
That’s the kind of partnership that builds trust and protects patient care.
The executives we’ve been talking to have also raised new challenges, like the rapid adoption of AI across vendor platforms. On one hand, it can help by speeding up tasks and catching risks earlier. On the other hand, it adds new data and security exposures if it’s not well governed.
That’s the key takeaway for leaders. Don’t treat AI as just another feature. Ask your vendor how they’re safeguarding the data and how it affects your risk.
The bottom line is this: third party risk isn’t about questionnaires.
It’s about resilience. As an executive or leader in health care, your role is to make sure your organization can keep caring for patients, keep paying staff, and keep the lights on even when a partner goes offline. That means asking different questions.
Thanks for listening about third party risk. We have impactful research coming out in the next couple of months on this topic, and we would love to hear from you. If third party risk is a challenge at your organization, or if something is going well and you want to share innovations and what you think the future of third party risk should look like.
Don’t forget to like and subscribe if you enjoyed the content today.
