How a prestigious academic medical center optimizes third-party security risk management with Isora GRC

At the nexus of medical research, innovation, and patient care resides one of the United States’ most esteemed academic medical centers. This institution is not merely a healthcare provider but a vibrant hub for education and groundbreaking scientific discoveries. Known for its relentless pursuit of excellence, the center has positioned itself as a lighthouse of compassionate care and state-of-the-art research.

However, its reputation for innovation and technological openness also poses a significant challenge. As the institution grows and embraces various third-party systems and services, its technological environment becomes increasingly complex. This complexity raises critical questions about third-party security risk management (TPSRM), particularly in an ecosystem as heavily regulated as healthcare and academia.

The Challenge

Tasked with ensuring the integrity of medical and educational missions, the institution’s Information Security & Assurance Team faced unique challenges as they aimed to securely integrate a growing third-party ecosystem without sacrificing the organization’s fundamental commitment to innovation and excellence. Specifically, the team grappled with:

• Limited visibility into their systems, third-party vendors’ security postures, and data handling practices
• Balancing the complex regulatory requirements of multiple compliance frameworks, including HIPAA, PCI DSS, GLBA, CMMC, GDPR, and CCPA
• Ensuring all stakeholders, from leadership to end-users, are accountable for third-party security
• Cataloging evidence of due diligence in third-party security management to make it transparent and auditable

“Our mission requires an open and vibrant technology environment. However, this openness brings significant challenges in protecting against cybersecurity threats. It’s a collective responsibility that involves everyone to help safeguard our data and IT systems, ensuring the integrity of both our medical and educational endeavors.”
A key representative from the Information Security & Assurance Team

To address these challenges, the academic medical center began by attempting to understand its existing processes, risk profiles, and the specific needs of various internal teams. But the institution wasn’t just dealing with internal IT assets—it was also contending with various third-party services and vendors, each with its own complexities and security profiles. These ranged from educational platforms to healthcare data analytics tools, each introducing an extra layer of risk.

While trying to cast a wide net to evaluate third-party security, the team realized that getting accurate and comprehensive information from vendors is often challenging. “It’s not as simple as looking at a security checklist,” says a team member, “we needed to dig deeper, much deeper, to truly understand the risks involved.”

At the same time, the team found themselves dealing with a jigsaw puzzle of regulations. For example, a single third-party service might fall under HIPAA for its healthcare data handling, PCI DSS for payment processing, and GDPR for European patients—coordinating this maze of compliance is no small feat.

With the increasing trend of supply chain attacks and more stringent regulations, the challenge was to develop and continuously evolve a TPSRM program that was both comprehensive and nimble. “A solid plan is one thing,” says a team member, “but translating that into a streamlined, user-friendly experience proved to be our real challenge. We needed to move from good to great, from merely functioning to thriving.”

The Solution

“In our pursuit of solutions, we found only complexity. We didn’t need another cumbersome ‘integrated’ platform; we needed precision, a tool crafted to fit our unique challenges,” says the Chief Information Security Officer.

Using Isora GRC from SaltyCloud, the team achieved several key objectives:

• Maintain a detailed registry of their complex third-party inventory
• Automate previously manual processes of risk assessments
• Obtain a clear view of third-party risk profiles and compliance statuses
• Conduct in-depth questionnaires that reveal critical security loopholes
• Synchronize data across platforms for a seamless vulnerability management process

Isora’s integration features allowed the tool to pull in existing inventories and assign various responsibilities within the organization. These features, coupled with Isora’s assessment manager, provided a deeper layer of third-party risk understanding by collecting intricate details typically known only to internal relationship managers or the external partners themselves.

Although the institution had an established risk management program, its journey began by focusing on manageable goals. Initially, attention was centered on high-impact contracts and crucial service providers. As the TPSRM program matured, the scope expanded to include diverse types of third-party relationships.

“We didn’t want a one-size-fits-all solution; we wanted something that would work for us.”
Information Security & Assurance Team Member

Managing third-party engagements can be complex, particularly when specialized management teams oversee those relationships. The institution adopted a segmented approach to tackle this problem, directly engaging with managing teams to gather specific and detailed information about their third-party affiliations.

While automation and technology were integral for scaling its TPSRM program, the institution recognized that human interactions and relationship-building were irreplaceable. Once these relationships were in place, the institution took advantage of IsoraGRC’s robust API capabilities for further automation, enabling a smooth flow of information and making the TPSRM process even more efficient.

The Outcomes

Before implementing Isora, third-party risk management at the academic medical center was fragmented across various platforms and often relied on outdated, incomplete, or inconsistent data.

After embracing Isora, the Information Security & Assurance team was able to:

• Make risk information accessible to all organizational levels, fostering a culture of accountability
• Transform risk assessments from bureaucratic tasks to collaborative, decision-making exercises
• Achieve full transparency in interactions with third-party vendors, including security practices and the rationale for partnerships
• Embed risk-aware decision-making into every partnership and organizational initiative, strengthening overall resilience against threats
• Remove guesswork in tracking third-party engagements by linking specific risks to business units and responsible individuals
• Make demonstrating compliance an integrated, seamless aspect of the third-party risk management strategy

This journey with IsoraGRC has not only improved the security posture of the academic medical center but also armed it with invaluable data and insights. These outcomes are now leveraged to continuously measure and inform the mitigation of information security risks across the organization, enhancing its overall security resilience.

“Building a successful TPSRM program? Start with your people. Without their buy-in, you’ll be stuck with a bureaucratic process that nobody appreciates. Create a culture where everyone is part of the security process, aided by tools like IsoraGRC that are transparent, user-friendly, and actionable. It’s a marathon, not a sprint—focused on fostering meaningful relationships and deep organizational understanding. And remember, the goal is continuous improvement, informed by data and shared accountability.”
Chief Information Security Officer