University of Kansas Health System TPRM Case Study

A TPRM Case Study

OVERVIEW

Few industries are as tightly regulated as healthcare. In addition to offering exemplary care, providers like The University of Kansas Healthcare System must protect patients’ private data in keeping with national mandates like HIPAA, state regulations, and many other security standards. During internal and external audits, they must also demonstrate defined and repeatable processes in contracting, third-party risk assessment, and other governance, risk, and compliance (GRC) processes. The University of Kansas Health System turned to Onspring to meet these needs.

Challenge

The University of Kansas Health System uses the latest medical technology to provide a high level of patient care and service. The health system is similarly committed to finding efficiencies in GRC workflows, but a first-generation system failed to fit the bill.

“Before Onspring, we used a different GRC platform and it still had a lot of manual processes,” said Jennifer Blackburn, cybersecurity analyst at the University of Kansas Health System. “For third-party risk, we were sending out questionnaires and there were a lot of emails going back and forth with different organizations across the company to make our workflows happen.”

The ever-evolving GRC space is always presenting cyberthreats to stop, compliance standards to satisfy, and controls and policies to enforce. The University of Kansas Health System needed a platform that could help them keep up, which their existing application did not.

“We determined that we needed a better solution for our GRC tool when we realized that what we were using wasn’t customizable to what we were doing,” said Megan Loescher, senior cybersecurity analyst at the University of Kansas Health System. “It didn’t offer a lot of options in terms of adding automated functionality to our processes.”

Solution

When the GRC vendor announced that it was ending support for this application, it gave UKHS the opportunity to find a better one. The University of Kansas Health System’s search for a replacement GRC system led them to Onspring.

“While evaluating a new tool, we wanted to get the biggest bang for our buck,” Loescher said. “If it could do more than GRC functionality and contracting, maybe we could work with other teams to provide more value to our organization.”

Since starting small with a couple of functions, the University of Kansas Health System has expanded Onspring to 12 different processes and counting, including:

• Contract management
• Third-party risk assessment
• Due diligence
• Risk questionnaires
• GRC document repository
• Risk register management
• Policy management and exceptions
• Internal and external auditing

Expanding GRC and Business Automation with No-Code Development

Blackburn gave an example of another GRC workflow that the University of Kansas Health System is using Onspring to optimize. “Recently, we integrated an additional security tool into Onspring that’s assisting us with continuous monitoring of our third parties, so we get risk quantification automatically,” she said. “It gives us information on 20 technical categories – like patch and asset management and domains – and rates them A through F. We can also let our stakeholders know how likely a third party is to fall victim to a ransomware attack.”

While many systems require years of prior experience or costly vendor services to expand, UKHS has found that Onspring provides the ability to easily create new workflows, dashboards, and reports.

“My favorite feature in Onspring as an administrator is that it’s a no-code SaaS system that’s very easy to learn and utilize,” Loescher added. “You can spin up a new field or different app in no time at all, and that’s been wonderful to create customized experience for our teams.”

Another benefit of implementing Onspring has been the ability to create and distribute reports that visualize key GRC metrics for leaders in many different UKHS departments.

“Onspring has helped us communicate the value of our governance, risk, and compliance function across the organization,” Blackburn said. “We provide leadership with the amount of policy exceptions coming through and the financial impact of these risks. Doing this also identifies if there’s a gap in understanding our policies, allowing us to put together additional training and security awareness.”

Results

Automating Processes Enterprise-Wide

While the University of Kansas Health System first saw the potential of Onspring to improve contracting by replacing their outdated existing system, they soon discovered that it could create new efficiencies across many other GRC functions. The time savings this created enabled staff to spend more time utilizing their expertise elsewhere.

Success Story

“Onspring is a fantastic GRC tool and has allowed us to automate and speed up a lot of our processes. Everyone has fewer resources, so the time that we’ve been able to get back has been invaluable.”

Jennifer Blackburn · Cybersecurity Analyst

The University of Kansas Health System

Read Case Study

Improving Internal and Third-Party GRC Communications

At the University of Kansas Health System, Onspring is making life easier for Blackburn, Loescher, and their colleagues. It has also removed redundancy from communicating externally with third-party vendors and internally between the GRC group and other departments.

“My favorite function in Onspring is the ability to automate,” Blackburn said. “Originally, we were not just going to third parties with emails and questionnaires, but also across our different teams. Now I can look directly in Onspring, see my dashboards, and know what’s in my workflow and is coming from third parties. They attach their documentation and it’s automatically there for me to view. Onspring has allowed us to do our jobs better, more efficiently, and quicker.”

Utilizing Onspring hasn’t just improved communication but also facilitated greater collaboration between the GRC team and their colleagues across the University of Kansas Health System.

“Another added bonus with Onspring is we’ve become a different kind of partner to our internal teams.” Loescher said. “We’re no longer a blockage because we’re helping them with their processes and building more relationships as we work together.”

The University of Kansas Health System’s previous GRC system was a hindrance. In contrast, Onspring not only lived up to initial expectations, but has since delivered value in many additional ways.

“I would definitely recommend Onspring,” Blackburn said. “I can attest to its customization and automation compared to different GRC platforms. It has been nothing but a positive experience, and I love that it’s a solution across the organization.”