How a healthcare company tackles third-party risk with tech and data

In early 2024, a ransomware attack crippled one of the largest medical claims processors in the US, responsible for 15 billion transactions annually. This breach — the largest of its kind in US history — sent shockwaves through the industry, impacting the personal information of over 190 million patients and threatening to put physicians out of business.¹

Risks from third parties, particularly those supporting or directly involved in a company’s operations, can inflict significant damage on an organization’s operations, its reputation and its customers — and cybersecurity is just one aspect of managing those risks. For most sectors, third-party risks can encompass quality, reputation, resiliency, privacy, operations and many more. In healthcare specifically, protecting vast amounts of sensitive personal data alongside meeting regulatory demands remains an increasingly delicate daily balance.

Like many large and growing organizations, the Fortune 50 global health services company had been confronting challenges in third-party risk management: disparate data and systems and siloed processes limited the organization’s ability to improve its third-party risk posture in a rapidly changing ecosystem.

For this large healthcare client, third-party risk can surface through two specific streams, its network of providers or through traditional suppliers such as call centers, outsourcers and technology partners. Executives wanted a custom solution that would address third-party risk management from end-to-end.

“We’re seeing more clients adopt tech- and data-driven strategies to tackle risk management challenges, connecting systems and processes across the enterprise,” said Daniel Prior, EY Americas Integrated Risk Management Leader. “This approach is especially prevalent in third-party risk management, though it’s gaining traction in other areas as well.”

Establishing an end-to-end, connected process through orchestration

Managing third-party risk was not new for this organization, but its approach needed to evolve to eliminate silos, provide comprehensive visibility into third-party risks, and simplify the process for the business — enabling faster and better decision-making. Part of its solution was to leverage ServiceNow to establish a digital front door and workflows to better connect both procurement and third-party risk processes across matrix partners.

ServiceNow serves as a digital backbone, streamlining end-to-end processes, enhancing third-party risk management, improving end-user experience, and connecting previously siloed operations to drive greater efficiency. As an example, a user can initiate a single request to purchase goods or services and will provide all the information required to trigger downstream process once, reducing what once required multiple touch points and logins to different systems without a clear purpose. Users can search for third parties and understand any potential risks associated with that third-party or its services up front. In addition, the platform provides a single dashboard to initiate or respond to various needs throughout the process.

This was an effective way to simplify and automate traditionally complex processes to focus on the right risks at the right time — enhancing the business experience and allowing for a more dynamic, data-driven approach to risk management. Instead of being bombarded with emails from multiple systems, employees are onboarded into this new streamlined process, quickly recognizing that it simplifies their work.

Applying a data-driven approach leveraging internal and external information

Companies often depend on self-reported surveys from third parties to assess controls over sensitive data. However, organizations also have access to a broad range of valuable data — spanning quality, performance, resiliency, privacy, regulatory compliance and cybersecurity — that can enhance risk assessment and prioritization. The challenge is that this data is often scattered across disconnected systems. Increasingly, organizations are leveraging both internal and external data sources to assess risk more effectively and in real time.

This client created “data products” in Databricks to centralize relevant data for managing third-party risk and establishing clear sources of truth. Applying data science and analytics, these data products created another essential layer of the company’s new approach for managing third-party risk. The risk models enable risk identification, assessment and prioritization, leveraging both internal and external data inputs, many of which are real-time. This foundation enables AI-driven insights, transforming how the company and its partners will manage risk through data.

Establishing risk decisioning and escalation processes

Managing third-party risk requires not only knowing where there is risk but being able to efficiently and effectively make decisions regarding those risks. This client worked to define clear processes and criteria for making risk decisions, including escalating risks to the appropriate levels of the organization, as needed.

With the new tools, the client can bring risks to the appropriate decision-makers based on data-driven criteria for review and decisioning. In addition, AI can be utilized to analyze risks and determine potential next steps for decision-makers, keeping the “human in the loop.”

Visualizations and AI help synthesize complex data, accelerating risk analysis and driving faster, more informed outcomes. As an example, AI can analyze third parties based on provided criteria and identify potential next steps for consideration, saving significant time and emphasizing strategic activities.

Adopt AI to add self-service and other efficiencies to risk analysis

Risk dashboards are useful, but generative AI (Gen AI) can deliver a much more interactive, self-service capability. The client developed an AI-enabled chatbot in which users can generate information or input criteria for analysis to inform risk decision-making. The data can be interrogated through a discussion in natural language, like any other AI interface.

Drawing on key risk management principles and new modern technologies, this healthcare organization will have a fully digital and AI-enabled solution for managing third-party risk across the enterprise in a rapidly evolving healthcare industry, in which the challenge of protecting patients is greater than ever. These efforts to work with third-party vendors and drive efficiencies and lower costs are valuable on their own. Additionally, company leaders can now scrutinize their third-party ecosystem more effectively and dynamically — and make better decisions in real time.

And it’s just the start. The company will continue to explore additional AI capabilities in contracts and elsewhere. By leveraging AI, for example, this health services leader anticipates significantly expanding the breadth of strategic or higher-risk third parties that receive a greater degree of ongoing monitoring and management.