Surging ransomware attacks, rising vendor risk and increasingly complex regulatory demands – such are the hurdles healthcare compliance teams face after two years of disruption.

How are they rising to the challenge?

By leaning in on technology like the Reciprocity® ZenGRC® platform.

See how healthcare compliance teams are leveraging the GRC platform, so you can learn how to stay ahead of the rapidly shifting risk and compliance landscape in the coming year.

Harnessing ZenGRC to Combat Healthcare Compliance Challenges in 2022

Sixty-three percent of healthcare providers have faced disruptions due to reasons including internal organizational changes, cost pressure, regulation and compliance, funding or shifting consumer demands. With all the changes in the healthcare industry, only fit organizations thrive – and fragile organizations get left behind.”


Challenge #1: Strengthening Your Organizational Security Posture

Ransomware and vendor risk are certainly not new threats to your organization; the complexity of managing them, however, is growing:

  • 66% of the healthcare organizations in the U.S. suffered a ransomware attack in 2019, and 45% of those organizations paid the ransom, reports the ENISA Threat Landscape Report.
  • They spent $1.27 million, on average, recovering from a single attack, reveals Sophos’ State of Ransomware in Healthcare 2021 Report. And many never even recovered their data, notes Dan Kiehl, a health law attorney and Reciprocity’s resident healthcare and data privacy compliance expert.
  • Healthcare providers are turning to vendors more than ever to facilitate telehealth and other COVID-response operations, and the speed of outsourcing is rendering risk assessments outdated—oftentimes within just 90 days.
  • Even more concerning? Only 36% of vendors said they would immediately notify the provider in the event of a data breach, found a recent survey.

ZenGRC’s Role in Information Security and Third-Party Risk Management

Healthcare compliance professionals shared how they are leveraging ZenGRC to improve their information security and third-party risk management during a recent roundtable discussion with the Reciprocity team.

The biggest thing we do [with ZenGRC] is vendor management. Those have picked up immensely. Other than that phishing is a hot commodity right now.”

– Raymond Levesque, GRC Expert in Healthcare and FinTech Industry

“We do vendor risk assessment much more frequently these days which is actually under the CSO’s suite. What’s important to his team and mine is to see and understand all the evolving use cases with existing vendors that open up risk. That in turn gives us clearer insight into our total risk posture. One that comes to mind is our marketing team starting to use a marketing suite for something new that gets into a whole new host of CPRA regulations, important since we’re based in San Francisco and serve a large California customer base.”

– Patrick Curry, VP of Compliance at Omada Health

“Probably the biggest challenge is getting the information back from the vendor – the third parties – in a timely fashion. They themselves are engaging third-party services so just getting visibility into that is a challenge. Data security is another one, alongside identity and access management activities, using tasks to keep track of the various reviews or access reviews.”

– Senior Manager of IT Compliance in the Healthcare Industry

Key ZenGRC Capabilities Utilized

Third-Party Risk

ZenGRC offers three features that can help eliminate the headache of tracking down vendor responses and adjusting your program accordingly—crucial when your vendor relationships change frequently.

  • Automate questionnaires and assessments, so you can focus on high-value tasks instead.
  • Assign updated risk ratings to vendors based on survey data.
  • Gain perspective on the controls you need to implement for specific vendors.

Risk Assessment and Management

Customize your risk calculations with multivariable scoring and utilize pre-built reporting dashboards and heatmaps for deep insight into your cybersecurity risk posture. Check healthcare industry benchmark insights to uncover gaps in your program.

*New* Reciprocity® Risk Intellect

Augment the power of ZenGRC with Risk Intellect to map your cyber risk to compliance controls and discover which ones have the greatest impact on your risk—so you can protect your organization from malware attacks.

Challenge #2: Staying Compliant with Regulatory Changes

While the bar has never been higher for protecting patient data, recently proposed changes to the HIPAA Privacy Rule could cut your required response time to patient record requests in half (from 30 days to just 15 days).

Moreover, you would be required to create and implement procedures for prioritizing such urgent requests. Adding to the complexity? The changes would prohibit you from taking “unreasonable measures” – such as requiring a HIPAA authorization when a normal request would be acceptable – that could impede patient access to their health records.

And these are just a couple examples of the confounding regulatory changes that could be coming your way in 2022.

ZenGRC’s Role in Regulatory Compliance

In the swiftly changing realm of regulatory compliance, healthcare compliance teams are using ZenGRC to mature their programs in order to meet new rules and earn accreditations to satisfy industry requirements.

“We are trying to mature our processes…We’re using vendor management [and] audit management. We got through our SOC 2 Type 2 audits successfully and HIPAA assessments are happening.”

– Senior Manager of IT Compliance in the Healthcare Industry

“From a security perspective, ZenGRC is the first step to really maturing our program. We’re making big strides to move off spreadsheets, and we want to make sure we have appropriate mapping. Because there are a lot of accreditations that we’re going through right now to satisfy business requirements. CMS pushing access requirements has [influenced] our security needs from a program stance because those expectations are trickling down from the model programs at CMS into organizations like ours. And so, we have to be more mature on a much faster timeline and expect the same things out of our vendors.”

– Director of Information Security in the Healthcare Industry

Key ZenGRC Capabilities Utilized


Stay ahead of constant regulatory changes with one integrated and automated system of record. Save time (and headaches) by doing away with spreadsheets. And continuously monitor your control status with real-time updates from convenient, pre-built dashboards.

Challenge #3: Managing the IoT-Driven Influx of Patient Data

Over the last seven years, we’ve seen a shift from fee-for-service to value-based reimbursement, and with it, a significant increase in medical devices (and patient data) to demonstrate healthcare outcomes. This influx of protected data presents new information security, privacy, and regulatory access challenges for providers.

ZenGRC’s Role in Security, Privacy, and “Full-Suite GRC”

Data privacy, cybersecurity, compliance – healthcare compliance professionals are checking all the boxes with ZenGRC:

We’ve made a deliberate attempt to bring it together in what I call a full-suite GRC. We’re making sure our compliance audits work to the point where we actually leverage it for the start of a risk assessment readout. We use the data from the audits to inform our enterprise-level risk assessment and eventual board reporting.”

– Patrick Curry, VP of Compliance for Omada Health

Equip Your Team with ZenGRC and Risk Intellect in 2022

Healthcare compliance teams are relying on the sophisticated capabilities of ZenGRC and Risk Intellect to overcome the challenges accompanying the increasingly complex regulatory and risk environment in 2022. And they’re seeing results:

  • Obtaining multiple accreditations at once.
  • Streamlining third-party vendor management.
  • Maturing their compliance and risk management programs.
  • Staying compliant with shifting patient access and privacy regulations.
  • Protecting organizational and patient data from malware attacks.

If you’re ready to see what full-suite GRC software can do for your organization, schedule your demo now. Join the thousands of healthcare providers leveling up their approach to risk and compliance.