Vendor cybersecurity due diligence
Vendor cybersecurity due diligence in Healthcare & Life Sciences is now a hard compliance obligation, not a best-practice recommendation. The U.S. Department of Health and Human Services Office for Civil Rights, the U.S. Food and Drug Administration, and the European Data Protection Board have each issued enforceable guidance or rulemaking that directly governs how covered entities and device manufacturers assess third-party security controls. Compliance teams are auditing business associate agreements and vendor security attestations against the HHS OCR 2024 HIPAA Security Rule proposed updates before those requirements finalize.
Watch
- HHS OCR proposed HIPAA Security Rule amendments: vendor-specific technical safeguard requirements
- FDA cybersecurity guidance for medical device supply chain software bill of materials (SBOM) obligations
- NIS2 Directive Article 21 enforcement timelines for EU health sector supply chain risk assessments
- State attorney general enforcement patterns targeting inadequate third-party security contracting in health data breaches
- APRA CPS 234 cross-border application to APAC-based health IT vendors serving U.S. and EU entities
Recent material activity in Healthcare & Life Sciences
Active monitoring in place across Healthcare & Life Sciences. Material developments related to vendor cybersecurity due diligence will appear here as they are published.