Services › Vendor Risk Assessments
Vendor Risk Assessments
Know how your software providers are handling your patients' data — and whether they meet your Privacy Act obligations.
Your practice management system, telehealth platform, cloud backup service, and pathology integrations all handle sensitive patient data. Under APP 11, your responsibility for protecting that data doesn't end when you hand it to a vendor. We assess each provider's security posture and contractual commitments so you know exactly where the risks are.
Your obligations don't stop at your practice door
Under the Privacy Act 1988 and Australian Privacy Principle 11, your practice is responsible for taking reasonable steps to protect patient information — including when that information is held or processed by a third party on your behalf. Engaging a vendor doesn't transfer your privacy obligations; it extends them.
The Privacy and Other Legislation Amendment Act 2024 (POLA 2024) strengthened this further. "Technical and organisational measures" to protect personal information are now explicitly required by law — not just implied best practice. This means your contracts with vendors, and your review of their security arrangements, are now regulatory obligations in their own right.
Most practices we speak with have never formally assessed their vendors. They rely on vendor marketing claims, assume certification means "safe", or have contracts that contain no meaningful data protection clauses at all. If a vendor suffers a breach, your practice — and your patients — bear the consequences.
APP 11
Requires reasonable steps to protect personal information held by third parties on your behalf
Privacy Act 1988, Australian Privacy Principles
POLA 2024
"Technical and organisational measures" are now explicitly required — including vendor oversight
Privacy and Other Legislation Amendment Act 2024
New tort
Patients can now personally sue for serious privacy breaches — including breaches caused by your vendors
Privacy and Other Legislation Amendment Act 2024
What we evaluate
For each vendor, we assess 7 security and compliance dimensions — covering both technical safeguards and the contractual obligations that protect your practice.
Data Handling & Storage
Where is patient data stored? Who can access it? Is it kept in Australia or offshore?
Access Controls & Authentication
Are administrative accounts protected? What authentication standards does the vendor enforce?
Encryption
Is data encrypted both in transit and at rest? What encryption standards are used?
Sub-processors & Fourth Parties
Does the vendor share your data with other providers? Who are they and what protections apply?
Breach Notification Commitments
Will the vendor notify you promptly if they suffer a breach? What are their contractual obligations?
Certifications & Audits
Does the vendor hold ISO 27001, SOC 2, or equivalent certifications? Are they current?
Contract & Data Processing Terms
Do your contracts include adequate data protection clauses, liability terms, and audit rights?
Vendors we commonly assess
We can assess any vendor your practice uses. These are the categories and platforms that come up most often in Australian general practice and specialist settings.
Practice Management Systems
Best Practice, Medical Director, Cliniko, Zedmed, Genie
Telehealth Platforms
Coviu, Healthdirect Video, Zoom for Healthcare, Microsoft Teams
Cloud & Productivity Suites
Microsoft 365, Google Workspace, SharePoint, OneDrive
Pathology & Diagnostic Integrations
MedicalObjects, HealthLink, Argus, diagnostic imaging portals
Patient Booking & Engagement
HotDoc, HealthEngine, Appointuit, Healthpoint
Backup & Disaster Recovery
Veeam, Acronis, cloud backup providers, offsite tape services
Don't see your vendor listed? Get in touch — we can assess any third-party provider that handles patient data.
Three options to suit your needs
Per-vendor pricing with bundle discounts for practices that need multiple vendors reviewed. Final pricing confirmed after a free scoping call.
Single Vendor
Assessment of one vendor
- 1
Full 7-dimension assessment
Data handling, access controls, encryption, sub-processors, breach notification, certifications, and contracts
- 2
Written report with risk rating
Low / Moderate / High / Critical rating with specific findings
- 3
Contractual gap analysis
Review of your existing contract against recommended data protection terms
- 4
Findings review call
Walkthrough of findings and recommended next steps
Best for: Practices assessing a new vendor before signing a contract, or reviewing one high-priority provider.
3-Vendor Bundle
Assessment of three vendors
- 1
Full 7-dimension assessment per vendor
Every vendor assessed across all dimensions — not a shorter version
- 2
Individual vendor reports
Separate written report for each vendor with risk rating and findings
- 3
Cross-vendor risk summary
Summary comparing all three vendors and highlighting your highest-priority concerns
- 4
Findings review call
Walkthrough of all findings and recommended next steps across the bundle
Best for: Practices wanting to review their core software stack — typically PMS, telehealth platform, and cloud/backup provider.
5-Vendor Bundle
Assessment of five vendors
- 1
Full 7-dimension assessment per vendor
Every vendor assessed across all dimensions
- 2
Individual vendor reports
Separate written report for each vendor with risk rating and findings
- 3
Cross-vendor risk summary
Summary comparing all five vendors with a risk-ranked overview
- 4
Prioritised remediation register
Consolidated action list across all vendors, ranked by risk and effort
- 5
Findings review call
Walkthrough of all findings and recommended next steps
Best for: Medium or larger practices with multiple integrated systems, or any practice preparing for RACGP accreditation.
Need more than 5 vendors assessed? Contact us for custom pricing. Vendor assessments are often paired with a Security Health Check, which identifies which vendors to prioritise. Ask about bundled pricing when you book.
What you receive
Clear, practical documentation — not a dense technical report full of jargon.
Written assessment report
A structured report for each vendor covering all 7 evaluation dimensions, with specific findings and supporting evidence.
Overall risk rating
Each vendor receives a risk rating — Low, Moderate, High, or Critical — with a plain-language summary of the key concerns.
Contractual gap analysis
We review your existing contracts against best-practice data protection terms and flag what's missing or needs strengthening.
Recommended actions
Practical steps you can take — contract renegotiation points, questions to ask vendors, and alternative providers where relevant.
Governance-ready summary
A summary letter suitable for your governance records, demonstrating that your practice has conducted due diligence on third-party data handlers.
Findings review call
A walkthrough call to take you through the findings, explain what they mean for your practice, and discuss the recommended next steps.
How it works
Minimal disruption to your practice — most of the work happens on our end.
Tell us your vendors
Share a list of the vendors you want assessed — via a short form or a brief call. We'll confirm scope and provide a fixed quote.
We gather information
We review publicly available documentation, vendor security pages, privacy policies, certifications, and standard questionnaire responses. We may contact vendors directly on your behalf.
We assess your contracts
Send us your current vendor agreements (NDAs, service contracts, data processing addenda). We review them for gaps against recommended data protection clauses.
You receive your reports
Reports delivered within 2–3 weeks, followed by a walkthrough call to discuss findings and recommended actions.
Ready to check your vendors?
Start with a free scoping call. We'll confirm which vendors to prioritise, clarify what information we'll need from you, and provide a fixed quote — no obligation.
Our free online self-assessment includes questions about your vendor management practices and gives you an instant snapshot of how your practice is tracking — no commitment, no account required.
Frequently asked questions
Do you contact the vendors directly?
Where helpful, yes — with your permission. We may send a security questionnaire to the vendor or request updated security documentation. Most established vendors have a security team that responds to these requests. If a vendor refuses to engage, that itself tells us something useful.
What if my vendor won't share security information?
A vendor's willingness to be transparent about their security practices is itself a risk signal. If a vendor declines to share their security posture, data processing addendum, or certification status, we document this as a finding and factor it into their risk rating. You can also use our assessment to inform conversations with your vendor about what you need them to provide.
Can you assess overseas vendors?
Yes. The Privacy Act's APP 8 governs cross-border disclosure of personal information — so overseas vendors often have additional obligations. We assess overseas vendors against the same criteria, noting any additional regulatory considerations that apply when data is sent offshore.
What if you find a high-risk vendor we're locked into?
We focus on practical outcomes. If we identify a high-risk vendor, we'll flag the specific concerns and provide options — contract renegotiation points, additional security controls you can request, or in some cases, alternative providers to consider. We understand that changing your PMS isn't a realistic short-term option; we work with your constraints.
How is this different from asking my IT provider to check the vendor?
Most IT providers focus on technical configuration — how a system is set up in your environment. Vendor risk assessment looks at the vendor's own security posture: how they protect data on their side, their policies, their certifications, and critically, the contractual terms they've agreed to. These are different questions, and most IT providers aren't focused on the regulatory and contractual dimensions that matter for Privacy Act compliance.
Have a question not answered here?
Get in touch