Rochester Regional Health

Rochester Regional Health puts patients first with OneTrust Third-Party Risk Exchange

The healthcare network modernized its third-party risk approach to secure patient health information

Putting patients first
Screening new third-party risk management tech
A modern approach to third-party risk
A clean bill of third-party risk health

Rochester Regional Health is the leading provider of comprehensive care for the Greater Rochester New York community. The healthcare network is supported by over 18,000 employees, including five hospitals, all-inclusive care for elderly and home health programs, outpatient laboratories, rehabilitation programs, and surgical centers, as well as independent and assisted living centers. From harnessing research and technology to helping patients redefine the odds, Rochester Regional Health is leading the evolution of healthcare today.

Due to the sensitive protected health information (PHI) they handle, Rochester Regional Health must validate their third parties are also properly handling this information with the same stringent security and privacy measures, as described by Marcelle Bicker, Senior Information Security Compliance Analyst at Rochester Regional Health

Screening new third-party risk management technologies

For several years, Rochester Regional Health supported third-party risk management through a legacy GRC solution. However, with a contract renewal approaching, the Information Security Compliance team began discussions to move to a more streamlined solution – and away from expensive legacy GRC technology that required too much customization, as well as heavy support.

“The driver for researching new third-party risk management technology solutions stemmed from the need to implement an agile, cloud-based solution that is not only cost-effective but highly flexible to support configurable vendor risk assessment questionnaires directly through the UI,” added Bicker.

Rochester Regional Health leveraged analyst firm Gartner to develop a rating scale and evaluated six technology solutions in the IT Vendor Risk Management Tools market. After extensive due diligence, the organization selected the OneTrust Third-Party Risk Exchange third-party management.

"There was no comparison between our previous solution and VThird-Party Risk Exchange. Third-Party Risk Exchange uses modern tools and techniques to deliver third-party risk management technology which is critical as we work to secure our patients’ PHI in the most streamlined and automated manner."

Marcelle Bicker, Senior Information Security Compliance Analyst

Implementing OneTrust Third-Party Risk Exchange for a modern approach to third-party risk

According to Bicker, “There was no comparison between our previous solution and Third-Party Risk Exchange. Third-Party Risk Exchange uses modern tools and techniques to deliver third-party risk management technology which is critical as we work to secure our patients’ PHI in the most streamlined and automated manner.”

Using the Third-Party Risk Exchange platform, Rochester Regional Health can leverage vendor research and assessments via the Cyber Risk Exchange and implement automation workflows that manage compliance and reduce risks. Additionally, the healthcare provider intends to roll out the Third-Party Risk Exchange platform across its subsidiaries. In doing so, the subsidiaries will be able to categorize risk assessments sent to their partners within their brand, while also giving Rochester Regional Health top-level visibility. “This was a feature that differentiated OneTrust from other tools,” noted Bicker.

Maintaining a clean bill of third-party risk health

Key benefits of Third-Party Risk Exchange include more third-party risk awareness across Rochester Regional Health’s business. Third-Party Risk Exchange helps Rochester Regional Health’s team better execute throughout the vendor process and drives deeper discussions around potential vendor risks.

“I can see a positive change in the way Rochester Regional Health operates our third-party risk management program due to Third-Party Risk Exchange,” said Bicker. “The Third-Party Risk Exchange scoring methodology speeds up our assessment process and helps us to provide recommendations to the business managers of the potential information security risk of partnering with a vendor. “

Bicker adds that one of the most impressive parts about working with Third-Party Risk Exchange is the team’s emphasis on the vendor experience throughout the assessment process.

“Vendor experience is oftentimes overlooked in third-party risk management programs,” she said. “What continues to stand out to me is that Third-Party Risk Exchange prioritizes vendor engagement, and because of this, we’re having more of a conversation with our vendors. We can get better information from them because there’s a better, more concise set of questions in the tool.”

Looking ahead through 2020 and beyond, Rochester Regional Health plans on increasing its project manager’s use of Third-Party Risk Exchange's self-service portal. In doing so, the business will become even more engaged in the third-party risk assessment process.