Executive Summary
The healthcare industry juggles a complex web of vendors, from IT to pharmaceuticals and medical devices, each a potential entry point for cyberattacks. A breach at any of these vendors can expose patient records and disrupt vital healthcare services.
Yet managing hundreds of vendors with varying security postures can be a logistical nightmare. A “leading health insurance company” in the U.S. was facing this exact challenge.
This leading health insurance company was using a GRC tool to manage their third-party risk assessments. While it offered some support, the tool required extensive customization, creating a constant challenge with updates and limiting scalability as their vendor network grew. This left the leading health insurance company looking for a better solution to streamline and automate their third-party risk management process.
Challenges
- Time-consuming manual assessments
- Limited scalability for a growing vendor network
- Generic questionnaires with limited risk insights
- Multiple communication channels reduced efficiency
Solution
The leading health insurance company implemented Panorays’ TPRM platform, achieving:
Before Panorays | After Panorays | |
Productivity | Time-consuming, large headcount | Automated assessments and workflows, smaller headcount |
Scalability | Limited | Efficient growth as vendor network expands |
Customization | Static workflows, limited customization | Flexible configuration, granular customization |
Visibility | Limited visibility of vendor landscape | Real-time visibility of third-parties posture and compliance |
Vendor communication | Multiple channels | Streamlined platform for all interactions |
The High Stakes of Healthcare Cybersecurity
The healthcare industry faces a unique cybersecurity challenge. Patient data is a goldmine for cybercriminals, containing a wealth of personally identifiable information and protected health information. This data can be used for fraudulent medical claims, identity theft, and other criminal activities. A concerning trend emerges from recent HIPAA Journal reports: data breaches exposed over 133 million patient records in 2023 alone, highlighting a significant increase from previous years.
Additionally, the ever-expanding network of third-party vendors introduces additional vulnerabilities. These vendors may have their own security weaknesses, and a single breach can expose the sensitive data of countless patients across multiple healthcare providers.
A striking example is the 2021 breach at Elekta, a provider of cloud-based oncology-related data services. This breach affected Northwestern Memorial HealthCare and other healthcare providers, exposing the personal and clinical information of over 200,000 oncology patients. It was a compelling reminder of the interconnectedness within the healthcare ecosystem, and the need for end-to-end security measures throughout the entire network.
Company Profile and Background
This leading health insurance company is one of the largest health insurers in the United States. ‘Jake’, a senior information security executive, has been with the company for a decade. Currently leading the company’s Third-Party Risk Management program, his team is focused on conducting risk assessments of third parties handling sensitive data.
Jake explains that the company acknowledged the need for a TPRM program and already implemented a GRC tool to manage risk assessments. However, Jake identified limitations with the existing system:
“The GRC tool we were using wasn’t built for our specific TPRM workflow. We had heavily customized the platform to automate risk assessments for third parties. This included questionnaires, workflows, and external communication. While it achieved some automation, it was a constant battle. Maintaining those customizations was expensive and time-consuming. Every update seemed to break something, requiring us to redo everything.”
Faced with these challenges, Jake was searching for a TPRM solution offering both powerful automation to streamline workflows but also built-in customization to tailor them to the company’s unique needs.
Panorays. The Perfect Fit for Tailored, Automated TPRM.
After evaluating several TPRM solutions, Jake chose Panorays as their new TPRM tool. He points at key features and benefits that made Panorays the ideal fit:
Easy Customization
Unlike their previous GRC tool, Panorays offered an intuitive, customizable interface. The team could finally align the tech with existing processes, easily customize workflows and questionnaires, and quickly integrate new processes without coding.
Smart Automation
Automating risk assessments, Panorays could free up significant time and resources spent on tedious manual tasks. Automation also meant fewer errors, allowing the company to redirect headcount to more strategic initiatives.
All-in-One Solution
Panorays addressed every stage of the vendor lifecycle, combining automated risk assessments with standardized questionnaires, and a built-in vendor communication platform. Here, Jake saw a double win: gaining 360 control over their third-party risk landscape, minus the costs of purchasing and managing other tools.
Strong Partnership
Beyond the tech, Jake appreciated Panorays’ commitment to being a true partner: “They were proactive, responsive, and built a sense of trust through open communication, giving the team confidence in managing third-party risks effectively”, he says.
Results
Panorays delivered on Jake’s expectations for a powerful and adaptable Third-Party TPRM solution. Here are some of the key results they’ve achieved:
- The company was able to easily scale its TPRM program as their network of vendors grew. Currently managing 300+ suppliers in Panorays, they expect to onboard 100+ vendors in the next 18 months.
- They can efficiently tailor assessments to specific industries, risk profiles, and vendor types, with Panorays pinpointing the most relevant data to assess their security posture.
- Before using Panorays, the company relied on multiple communication channels for vendor engagement. Now, they leverage Panorays’ built-in communication platform for all interactions, including assessments, controls, findings, and remediation tasks.
- Automation has streamlined workflows, reducing the need for manual work. The team can now manage a growing number of third-party assessments with a smaller headcount.
- Using Panorays’ reporting module, the company can generate on-demand reports on third-party risks that provide in-depth insights and key metrics.
- The company has ongoing visibility into its supply chain and a 360-degree view of their vendor landscape, allowing them to proactively manage risks and maintain compliance.
Panorays is more than just a vendor; they’re a partner. They’re proactive in developing solutions and addressing any issues we raise. This collaborative approach gives us great confidence.