Rochester Regional Health is the leading provider of comprehensive care for the Greater Rochester New York community. The healthcare network is supported by over 18,000 employees, including five hospitals, all-inclusive care for elderly and home health programs, outpatient laboratories, rehabilitation programs, and surgical centers, as well as independent and assisted living centers. From harnessing research and technology to helping patients redefine the odds—Rochester Regional Health is leading the evolution of healthcare today. 

Due to the sensitive protected health information (PHI) they handle, Rochester Regional Health must validate their third parties are also properly handling this information with the same stringent security and privacy measures, as described by Marcelle Bicker, Senior Information Security Compliance Analyst at Rochester Regional Health

Screening new third-party risk management technologies 

For several years, Rochester Regional Health supported third-party risk management through a legacy GRC solution. However, with a contract renewal approaching, the Information Security Compliance team began discussions to move to a more streamlined solution – and away from expensive legacy GRC technology that required too much customization, as well as heavy support. 

“The driver for researching new third-party risk management technology solutions stemmed from the need to implement an agile, cloud-based solution that is not only cost-effective but highly flexible to support configurable vendor risk assessment questionnaires directly through the UI,” added Bicker.  

Rochester Regional Health leveraged analyst firm Gartner to develop a rating scale and evaluated six technology solutions in the IT Vendor Risk Management Tools market. After extensive due diligence, the organization selected the OneTrust VendorpediaTM third-party risk management software. 

Implementing OneTrust Vendorpedia for a modern approach to third-party risk

According to Bicker, “There was no comparison between our previous solution and Vendorpedia. Vendorpedia uses modern tools and techniques to deliver third-party risk management technology which is critical as we work to secure our patients’ PHI in the most streamlined and automated manner.”

Using the Vendorpedia platform, Rochester Regional Health can leverage vendor research and assessments via the Cyber Risk Exchange and implement automation workflows that manage compliance and reduce risks. Additionally, the healthcare provider intends to roll out the Vendorpedia platform across  its subsidiaries.  In doing so, the subsidiaries will be able to categorize risk assessments sent to their partners within their brand, while also giving Rochester Regional Health top-level visibility. “This was a feature that differentiated OneTrust from other tools,” noted Bicker.

Maintaining a clean bill of third-party risk health 

Key benefits of Vendorpedia include more third-party risk awareness across Rochester Regional Health’s business. Vendorpedia helps Rochester Regional Health’s team better execute throughout the vendor process and drives deeper discussions around potential vendor risks. 

“I can see a positive change in the way Rochester Regional Health operates our third-party risk management program due to Vendorpedia,” said Bicker. “The Vendorpedia scoring methodology speeds up our assessment process and helps us to provide recommendations to the business managers of the potential information security risk of partnering with a vendor. “

Bicker adds that one of the most impressive parts about working with Vendorpedia is the team’s emphasis on the vendor experience throughout the assessment process. 

“Vendor experience is oftentimes overlooked in third-party risk management programs,” she said.  “What continues to stand out to me is that Vendorpedia prioritizes vendor engagement, and because of this, we’re having more of a conversation with our vendors. We can get better information from them because there’s a better, more concise set of questions in the tool.” 

Looking ahead through 2020 and beyond, Rochester Regional Health plans on increasing its project manager’s use of Vendorpedia’s self-service portal. In doing so, the business will become even more engaged in the third-party risk assessment process.