Potential Risks with Vendors

At Kaiser Permanente, we depend on a variety of vendors to help us achieve our mission to provide high-quality, affordable health care. Whether you work in a hospital, office or clinic you are likely surrounded by products or services provided by our vendors.

Vendors play an important role in Kaiser Permanente’s efforts to protect sensitive information. Risks can be associated with vendors that have access to our networks, systems or data, such as protected health information (PHI), personally identifiable information (PII), and payment card industry (PCI) data. Understanding a vendor’s ability to protect sensitive information and manage technology risk is important to Kaiser Permanente and helps us make decisions on how best to manage risk.

Vendor Risk Management Guardrails

The VRM team developed these guardrails as guidance for KP business owners using or considering services from third-parties. They bring understanding to privacy and security risk factors, and to relevant compliance obligations related to these engagements.

How can the Technology Risk Office help?

Our TRO Vendor Risk Management (VRM) team can help you better manage technology risks through robust review, risk-tracking and monitoring activities. Through these activities, we can ensure vendors providing technology or services to KP and accessing KP sensitive data are following key security principles and meeting compliance and regulatory requirements.

Other TRO services to help you manage vendor risk include:

  • Requests for Proposal (RFP) in instances that include reviews of vendor solutions or services. Learn More
  • Requests for consultation for potential projects involving vendor solutions/services. Learn More
  • Contract review support during contract development to ensure data security standards are included. Learn More
  • Due diligence reviews during onboarding of new vendor services to identify potential security gaps. Learn More
  • Response management in instances of security breaches and incidents. Learn More
  • Request for vendor analytic reports which can include information on vendor risk profiles, data access level, KP data access method and vendor location. Email vrm@kp.org

For additional resources including general vendor requirements and guidelines, visit KP’s Supplier Site.

For any additional questions including request for risk management information on KP vendors, please contact the TRO Vendor Risk Management team at vrm@kp.org.

Frequently Asked Questions

Sourcing – Engage with VRM to identify if there are existing vendors with similar services already being provided to KP or to perform a review of RFP candidates

Due Diligence – Complete a TRO engagement request and assist in the completion of an inherent risk assessment and potentially a vendor controls assessment

Contracting – Ensure that all necessary data security standards are included in the contract; you may engage VRM to perform a review of the contract if needed

Onboarding – Ensure that due diligence is complete and any open issues have been closed and documented by the engagement owner through remediation or risk acceptance

Monitoring – Notify VRM of any changes in the services provided by the vendor or of any vendor breaches; support VRM in ongoing risk management activities for your vendor

Termination – Ensure that all KP data is properly returned or destroyed and notify VRM of the termination of the vendor services

All vendors are monitored through the risk management process. Any vendor with access to KP data and/or systems is in scope for privacy & security risk assessments. Some vendor services, such as catering or hotels, may be categorized as low risk and will not require risk management activities.

Vendor risk assessments are advisory and assessment services to ensure vendors are compliant with regulatory and KP information security requirements. Vendor risk assessments:

• Help Kaiser Permanente remain compliant with regulatory obligations
• Provide guidance to project teams and leadership to manage technology risk introduced by new solutions or services
• Monitor ongoing risk with vendor solutions or services

• Initial risk consultation/inherent risk assessment
• Technology controls design and implementation review
• Monitoring risk assessments for higher risk services provided by vendors

Timing varies with each vendor. Timelines will be communicated to you during your initial meeting.

No Personal Information or Patient/Personal Data may be accessed, generated, hosted, downloaded, printed, stored, processed, transferred, or maintained outside of the United States by Vendor or any Vendor Subcontractor or any services provided to Kaiser Permanente from an offshore location without Kaiser Permanente’s prior written approval. Such approval may be withheld by Kaiser Permanente for any reason in its sole discretion and/or approval may be subject to additional terms and conditions.

¹Personal Information” or “Patient/Personal Data” means personally identifiable information, data or records relating to or concerning any patient, member, plan participant, employee or contractor of any Kaiser Permanente entity, including, without limitation, Protected Health Information (“PHI”) under HIPAA and “Cardholder Data” under the Payment Card Industry (“PCI”) data security standards. Personal Information shall always be Confidential Information of Kaiser Permanente.