Project Description
The University of Kansas Health System Improves Third-Party Risk Management and Contracting with Onspring
A TPRM Case Study
OVERVIEW
Few industries are as tightly regulated as healthcare. In addition to offering exemplary care, providers like The University of Kansas Healthcare System must protect patients’ private data in keeping with national mandates like HIPAA, state regulations, and many other security standards. During internal and external audits, they must also demonstrate defined and repeatable processes in contracting, third-party risk assessment, and other governance, risk, and compliance (GRC) processes. The University of Kansas Health System turned to Onspring to meet these needs.
Challenge
The University of Kansas Health System uses the latest medical technology to provide a high level of patient care and service. The health system is similarly committed to finding efficiencies in GRC workflows, but a first-generation system failed to fit the bill.
“Before Onspring, we used a different GRC platform and it still had a lot of manual processes,” said Jennifer Blackburn, cybersecurity analyst at the University of Kansas Health System. “For third-party risk, we were sending out questionnaires and there were a lot of emails going back and forth with different organizations across the company to make our workflows happen.”
The ever-evolving GRC space is always presenting cyberthreats to stop, compliance standards to satisfy, and controls and policies to enforce. The University of Kansas Health System needed a platform that could help them keep up, which their existing application did not.
“We determined that we needed a better solution for our GRC tool when we realized that what we were using wasn’t customizable to what we were doing,” said Megan Loescher, senior cybersecurity analyst at the University of Kansas Health System. “It didn’t offer a lot of options in terms of adding automated functionality to our processes.”
Solution
When the GRC vendor announced that it was ending support for this application, it gave UKHS the opportunity to find a better one. The University of Kansas Health System’s search for a replacement GRC system led them to Onspring.
“While evaluating a new tool, we wanted to get the biggest bang for our buck,” Loescher said. “If it could do more than GRC functionality and contracting, maybe we could work with other teams to provide more value to our organization.”
Since starting small with a couple of functions, the University of Kansas Health System has expanded Onspring to 12 different processes and counting, including:
- Contract management
- Third-party risk assessment
- Due diligence
- Risk questionnaires
- GRC document repository
- Risk register management
- Policy management and exceptions
- Internal and external auditing
Expanding GRC and Business Automation with No-Code Development
Blackburn gave an example of another GRC workflow that the University of Kansas Health System is using Onspring to optimize. “Recently, we integrated an additional security tool into Onspring that’s assisting us with continuous monitoring of our third parties, so we get risk quantification automatically,” she said. “It gives us information on 20 technical categories – like patch and asset management and domains – and rates them A through F. We can also let our stakeholders know how likely a third party is to fall victim to a ransomware attack.”
While many systems require years of prior experience or costly vendor services to expand, UKHS has found that Onspring provides the ability to easily create new workflows, dashboards, and reports.
“My favorite feature in Onspring as an administrator is that it’s a no-code SaaS system that’s very easy to learn and utilize,” Loescher added. “You can spin up a new field or different app in no time at all, and that’s been wonderful to create customized experience for our teams.”
Another benefit of implementing Onspring has been the ability to create and distribute reports that visualize key GRC metrics for leaders in many different UKHS departments.
“Onspring has helped us communicate the value of our governance, risk, and compliance function across the organization,” Blackburn said. “We provide leadership with the amount of policy exceptions coming through and the financial impact of these risks. Doing this also identifies if there’s a gap in understanding our policies, allowing us to put together additional training and security awareness.”
Results
Automating Processes Enterprise-Wide
While the University of Kansas Health System first saw the potential of Onspring to improve contracting by replacing their outdated existing system, they soon discovered that it could create new efficiencies across many other GRC functions. The time savings this created enabled staff to spend more time utilizing their expertise elsewhere.
Improving Internal and Third-Party GRC Communications
At the University of Kansas Health System, Onspring is making life easier for Blackburn, Loescher, and their colleagues. It has also removed redundancy from communicating externally with third-party vendors and internally between the GRC group and other departments.
“My favorite function in Onspring is the ability to automate,” Blackburn said. “Originally, we were not just going to third parties with emails and questionnaires, but also across our different teams. Now I can look directly in Onspring, see my dashboards, and know what’s in my workflow and is coming from third parties. They attach their documentation and it’s automatically there for me to view. Onspring has allowed us to do our jobs better, more efficiently, and quicker.”
Utilizing Onspring hasn’t just improved communication but also facilitated greater collaboration between the GRC team and their colleagues across the University of Kansas Health System.
“Another added bonus with Onspring is we’ve become a different kind of partner to our internal teams.” Loescher said. “We’re no longer a blockage because we’re helping them with their processes and building more relationships as we work together.”
The University of Kansas Health System’s previous GRC system was a hindrance. In contrast, Onspring not only lived up to initial expectations, but has since delivered value in many additional ways.
“I would definitely recommend Onspring,” Blackburn said. “I can attest to its customization and automation compared to different GRC platforms. It has been nothing but a positive experience, and I love that it’s a solution across the organization.”
Opportunity is knocking
Explore more insights
Onspring Expands GRC Suite with Data Privacy Management
Onspring’s new data privacy management product strengthens collaboration across compliance, security, and risk teams.
3 Best Practices for Vendor Master Data Management
Learn best practices for ensuring data accuracy and establishing robust capture protocols to streamline vendor master data management.
How to Conduct an Effective Supply Chain Cybersecurity Risk Assessment
Your supply chain's cybersecurity is only as strong as its weakest link. Conducting a cyber supply chain risk assessment helps you identify vulnerabilities. Learn how to map critical assets, assess threats and prioritize risks to ensure seamless operations and robust security.
