An Inherited Risk: The Truth About Third-Party Security

“Third parties are a common entry point for cyber attacks. This is something you really want to make sure you have under control.”

When you work in healthcare you know how much trust is placed in the systems and vendors connected to daily operations. What often goes unseen is just how quickly that trust can unravel when a third party isn’t vetted properly. That’s why conversations about third-party security are becoming essential, not optional. To help break it down, we turned to someone who spends every day navigating this landscape. Dawn-Marie Dalsass is the Compliance and Risk Management Director at Redox. Her work centers on evaluating vendor integrity, security posture, and compliance. She helps us understand the risks many organizations don’t realize they’ve inherited.

Dawn-Marie explains that due diligence requires validating the legitimacy of a vendor, reviewing their financial stability, and confirming regulatory compliance. It means that you are assessing how vendors handle the sensitive data that healthcare organizations are responsible for protecting. Third parties are a common entry point for cyberattacks. Even seemingly small gaps, such as overdue employee training or unresolved findings in penetration tests, can signal deeper issues.

There is also a need for a plan on how frequently vendors should be reviewed. With technology and AI advancing so quickly, annual reviews may not be enough for high-risk or critical partners. Monitoring changes, reassessing new services, and understanding shifts in a vendor’s operations all help prevent unexpected vulnerabilities. High-risk vendors may need monitoring every six months or more. And as Matt Mock brings up, responsibility ultimately sits with the organization. If something goes wrong, the world won’t blame the vendor; they’ll blame you.

The starting point for this work can be surprisingly simple. Before diving into technical documentation, verify the basics such as legal registration, physical address, tax ID, and OFAC status. That foundation can reveal more than most people expect. Strong security is built on awareness, curiosity, and the willingness to look closely at who you’re letting in the door.

Episode Highlights

[00:01:15] Third-party due diligence and security reviews.
[00:03:25] How regulatory requirements like HIPAA, PCI DSS, GDPR shape due diligence.
[00:05:28] Ongoing monitoring and review expectations.
[00:06:19] Physical access risks: background checks for on-site vendor personnel.
[00:07:44] Company’s responsibility to vet vendors, especially as AI evolves.
[00:09:42] What documentation to request and how to evaluate red flags.
[00:12:27] Common red flags: incomplete training, high-severity pen-test findings, litigation.
[00:17:07] Dawn-Marie’s “core four” steps for starting a third-party review program.

Browse past episodes on our blog or listen wherever you get your favorite podcasts, including: