How doctor on demand manages its entire vendor risk management process through Whistic
Background
Improving the world’s health through compassionate care and innovation
For many companies, digital security and vendor risk management are often an add-on or supplement to an existing security strategy. For Doctor On Demand, however, it is a priority. As a telemedicine provider working with patients and clients all over the country, there are strict guidelines in place that dictate what they can and cannot do with both patient data and data that is coming in or leaving through other sources.
Because of these strict guidelines, Doctor On Demand created a custom vendor security questionnaire to hone in on these specific security needs. For Quinne Brazinski, Senior Security Analyst, these custom questionnaires introduced the need for a standard, streamlined process for all vendors.
“Vendor risk management is extremely important to the success of our organization,” Quinne said. “We complete initial vendor security assessments as well as ongoing re-assessments for vendors with access to confidential information. Especially given the nature of telemedicine, the information we deal with, and the growth of cloud technology, we need to be diligent. Early on we had to put in very focused efforts to protect our patients’ data in a cloud based world..”
Problem
A burdensome, manual process
Working with multiple vendors, using a custom security questionnaire, and tracking the VRM process with spreadsheets wasn’t working for the Doctor On Demand team. Working in Google Sheets, the team was housing the outbound security assessment, a master vendor list, and sub-folders for each vendor with assessments, contracts, NDAs, notes, and reminders all in one place.
“It was becoming burdensome to search, hard to evaluate, and it took too long to actually run assessments,” Quinne said. “We were working off of documents that essentially recapped the spreadsheet to summarize the information. This meant the IT and Legal teams had to manually figure out where a vendor lived, what they did, what data they had access to, and what security processes were required.”
Another thing the Doctor On Demand team was looking for with their new VRM solution was transparency. For Arwen Sheridan, Director of Compliance & Legal Affairs, having access to the right information at the right time was a necessity.
“Overall security and privacy of the organization is reported to our leadership, which includes our Vendor compliance and management,” Arwen said. “This is a consistently monitored area of the business that requires multiple re-assessments. Presenting increasingly confusing spreadsheets just wasn’t scalable.”
Solution
Custom built vendor risk management
The Doctor On Demand team decided on the Whistic platform for multiple reasons. First was the easy-to-understand pricing model. Unlike other VRM solutions that the team had worked with, Whistic didn’t
charge-per-assessment, which was ideal for a startup like Doctor On Demand. Additionally, the fact that Whistic was built specifically to handle VRM questionnaires and assessments was key.
From start to finish, it took around two months to get the Doctor On Demand team up and running on the Whistic platform. This included importing all relevant existing vendor data, questionnaires, and security profile information into the solution. In order to ensure Whistic would work exactly the way the team needed it to, Quinne and the IT department took their time to customize wherever possible.
They also wanted to make sure that all departments understood the value of Whistic and what the goal of this migration was for long-term success.
“New vendor partnerships die because of failed security assessments,” said Arwen. “We prioritized education and training across
different departments such as Sales and Marketing so security and compliance didn’t become a roadblock in proceeding with a vendor. We wanted everyone involved with vendors and clients to know what to look for to ensure these relationships were able to be successful in the long run.”
Results
Streamlined automation and insight
Today, the Doctor On Demand team is managing the entire Vendor Risk Management process through Whistic. Some of the biggest areas of success include:
A streamlined security assessment process Within Whistic, the Doctor On Demand security team was able to modify assessment questions for yes/no answers. This means that Whistic can easily auto-grade forms to let Quinne and her team know if a vendor has passed. Almost 90% of questionnaire grading is now completed in Whistic which has decreased the time Quinne spent reviewing questionnaires from a few hours to just 45 minutes.
A quicker turnaround time for vendors With everything available in the Whistic solution, there is less back-and-forth emailing with vendors to ensure the right forms are filled out. It’s easy for the Doctor On Demand team to answer questions and confirm data points without an entire document of follow-up explanation. The average time from when Quinne sends a vendor assessment to when it is completed has been reduced from 20-25 days to just 10-15 days with Whistic.
The intake form This Whistic feature allows the Doctor On Demand team to lead any team member who is submitting a vendor for assessment through the right process. It also ensures that the security team gets all the right information and data before they send out a security questionnaire.
An initial mini-questionnaire While the security team would previously ask internal stakeholders for background information on vendors, this mini-questionnaire acted like an initial RFP for potential vendors to uncover any issues or deal breakers before moving forward. It covers the basics of legal, IT, security, and more. All new Doctor On Demand vendors must answer these questionnaires in the new process.
A variety of questionnaires While the Doctor On Demand team has to stick with their custom questionnaire for security purposes, they also have access to
SIG-Lite and CAIQ questionnaires in the platform. They also have a few vendors using Whistic, which allows them to easily review other questionnaires and assessments on file.