Your Vendor Risk Assessment Is a Joke (Here's How to Fix It)

You send every vendor a security questionnaire. They fill it out. You file it. You check the box. You move on.

Congratulations. You just wasted everyone's time.

Vendor risk assessment in healthcare has become a ritual. Everyone goes through the motions. Nobody learns anything useful. And meanwhile, your third-party vendors remain the most likely path an attacker will use to get into your environment.

The Change Healthcare breach in 2024 proved this in the most expensive way possible. One vendor. One compromised credential. Billions in damages across the entire healthcare ecosystem. And you can bet that Change Healthcare had filled out hundreds of security questionnaires from their customers. They passed. It didn't matter.

Why questionnaires don't work

Security questionnaires are self-reported. The vendor fills out the answers. They say what you want to hear. Nobody verifies the responses. Nobody audits the evidence. It's an honor system, and the incentive structure is completely wrong.

The vendor wants your business. They're not going to tell you that their patching process is three months behind or that their developers have admin access to production databases. They're going to check "yes" on every question and attach whatever policies they have, regardless of whether those policies are actually enforced.

I reviewed a vendor risk assessment last year where the vendor claimed they had 24/7 SOC monitoring. They didn't. They had a managed SIEM that sent email alerts to an IT manager who checked them in the morning. That's not 24/7 monitoring. But the questionnaire asked "Do you have continuous monitoring?" and the answer was "Yes" because technically the SIEM was running continuously. Just nobody was watching it.

Questionnaires also create a false sense of completeness. You ask 200 questions, you get 200 answers, and you feel like you've covered everything. But the questions are generic. They don't account for the specific way this vendor connects to your environment, what data they access, or what would happen if they were compromised.

The tiering problem

Most healthcare organizations tier their vendors into categories -- critical, high, medium, low -- and apply different levels of assessment to each tier. Makes sense in theory. In practice, the tiering is usually wrong.

Vendors get tiered based on contract value or the type of service they provide. Your EHR vendor is critical. Your janitorial service is low. Seems obvious.

But what about the small IT services company that has VPN access to your network for remote support? They're a $50,000 contract. They're tiered as "medium" or "low." But they have the same network access as your internal IT team. If they get compromised, an attacker walks straight into your environment.

The Change Healthcare situation was exactly this pattern at scale. Organizations that didn't have a direct contract with Change Healthcare were still devastated because their clearinghouse or pharmacy benefit manager depended on Change Healthcare. The risk wasn't in the direct vendor relationship. It was in the dependency chain.

What good looks like

A real vendor risk program goes beyond questionnaires. Here's what separates useful assessments from theater.

First, right-size the assessment to the actual risk. The question isn't "how big is this vendor?" It's "what happens if this vendor gets breached?" A small company with remote access to your network poses more risk than a large company that only receives de-identified data. Tier based on access, data sensitivity, and operational dependency. Not contract value.

Second, verify claims. Don't just accept the questionnaire answers. Ask for evidence. Request their latest penetration test executive summary. Ask for their SOC 2 report. Check their external attack surface using tools like SecurityScorecard or BitSight. If they claim they have MFA enforced, ask to see the configuration. Trust but verify isn't just a saying.

Third, assess the connection, not just the vendor. How does this vendor connect to your environment? What protocols? What ports? What authentication? What data flows between your systems and theirs? The vendor's overall security posture matters, but what matters more is the specific interface between their environment and yours.

Fourth, monitor continuously. A point-in-time assessment tells you the vendor's security posture on one day. Their posture can change overnight. Use continuous monitoring tools that track vendor risk ratings over time and alert you when something changes. A vendor whose external-facing infrastructure suddenly shows new critical vulnerabilities warrants a conversation.

Fifth, build breach scenarios. For every critical vendor, answer this question: "If this vendor gets breached tomorrow, what's our exposure and what's our response?" If you can't answer that quickly and specifically, your vendor risk assessment hasn't done its job.

The contract angle

Your vendor contracts should include security requirements with teeth. Notification timelines for breaches. Right to audit. Minimum security controls. Liability for security failures.

Most healthcare vendor contracts have vague security language that nobody reads until after an incident. At that point, you discover that the vendor's liability is capped at the contract value -- which might be $100,000 for a vendor whose breach costs you $5 million.

Negotiate security terms before you sign. Include specific requirements for MFA, encryption, patching timelines, and incident notification. Make it clear that failure to maintain these controls is a material breach of the contract.

Start now

If your current vendor risk program is a questionnaire spreadsheet and a filing system, you're not managing risk. You're documenting it. There's a big difference.

GuardsArm helps healthcare organizations build vendor risk programs that actually reduce risk. We assess your critical vendors, map your dependency chains, evaluate your most dangerous connections, and build monitoring processes that catch problems before they become breaches. If your vendor risk program isn't giving you confidence, we can fix that.