Third-Party Risk Management Case Study: Large Hospital

Velocity Case Study: Large Hospital

by | Feb 24, 2022 | Case Study


Velocity helped a large hospital system quadruple the speed of third-party risk assessments, increase accuracy of reviews, create a continuous assessment process, and track internal risk using the Center for Internet Security (CIS), NIST Cybersecurity Framework (CSF), and the HIPAA Security Rule


The hospital was struggling to manually review hundreds of vendor (business associate) solutions which was causing delays in large projects.  The security team tried hiring a third-party risk management service to offload the vendor reviews, but the results were greatly inaccurate. 

At the same time, the hospital was trying to measure their internal security posture using CIS, NIST CSF, and the HIPAA Security Rule through spreadsheets.  The spreadsheets only provided point-in-time reviews, could not be easily shared, collaboration was difficult, and the security frameworks could not be easily updated on the spreadsheet.

To address both the vendor and internal risk measurement problems, this hospital decided to use the Velocity SaaS solution by Stern Security.

An Industry Problem

The growing risk management issues that the hospital was experiencing are common across all industries.  Companies often initially try to address the vendor risk issue manually by sending spreadsheet questionnaires to vendors.  However, this process incredibly time consuming.  They have to manage the questionnaires, send and retrieve from vendors, review the responses, have meetings about the risks, and create reports.  This process can take months to complete for a single vendor.  Ideally, the customer would complete this every year for a vendor, but very few organizations have the bandwidth to accomplish anything close.

Many companies try to outsource the vendor risk management work to a service provider or purchase a product to complete the task.  Unfortunately, most of the results from these solutions are inaccurate.  Even fewer solutions address both internal and vendor risk.

Velocity prioritizes accuracy

After limited success with the manual approach and other products, this hospital found their ideal solution with Velocity.


Onboarding with Velocity took the hospital one hour with most of the time spent on training.  The hospital quickly replaced the spreadsheet used to measure internal risk and saw immediate results.  Instead of using an outdated version of the CIS framework, the hospital could use the latest version with Velocity.  The hospital also received a prioritized list of items to work on to increase security posture.  Additionally, when the hospital fixed an item on the list, they could see their security posture improve.

Customer employees became rockstars with Velocity

The hospital also made rapid improvements on their vendor risk management process.  Instead of sending the standard security questionnaire to vendors, the hospital sent invitations from the Velocity platform and let the product do all of the work.  The hospital received detailed security reports for their vendors within ¼ of the time.  Hospital cybersecurity staff that was originally tasked with performing these vendor security reviews, could now spend their time on other tasks while directing more vendors through Velocity than they could ever before.  Velocity greatly sped up the hospital’s vendor security review process which made the entire project evaluation process more efficient.  Additionally, Velocity increased accuracy, and saved the hospital valuable funds.  Velocity added such value to the hospital that they renewed their subscription the following year.

Velocity saves the day! Case closed.