WHO ARE RADIUS HEALTH?
Radius Health is a US biopharmaceutical company dedicated to transforming the future for underserved, global patient populations in bone health and related therapeutic areas. Operating in a highly regulated industry, Radius manages a complex ecosystem of partners and vendors where data integrity and security are paramount.
It is critical for us to understand the cyber posture of our 3rd parties and how our data is stored with them and their partners, especially given the complexity of our regulated industry. In this multi-tiered model, there may be indirect risks to our data and our users if a connected vendor is compromised.
Gerry DiBona, Head of IT, Radius Health
The Background
Protecting Data Beyond the Perimeter
In the pharmaceutical industry, the supply chain is not linear; it is a complex web of clinical research organizations, logistics providers, and digital partners. For Radius, the primary challenge was not just securing their own perimeter, but ensuring the safety of sensitive data once it left their hands.
"The largest risk in our supply chain is the risk of losing or exposing data that is stored by our partners exclusively," explains Kevin Frye, IT manager—Infrastructure and Network, at Radius. "In these instances, it is critical that we understand the cyber posture of these suppliers and require the same strict standards used with our own systems."
Radius recognized that traditional, static questionnaires were insufficient for identifying indirect risks—such as a vendor’s vendor (4th party) suffering a breach that could compromise Radius’s proprietary data or patient information. They needed a tool that could look deeper than the immediate third party.
The Solution
A Foundational Approach to TPRM
While we are in the early stages of using Risk Ledger, we are building a holistic view of our overall risk as it pertains to our vendors. Collaboration with our suppliers has also provided valuable insights into active security issues. Both are adding value and improving our risk profile.”
Gerry DiBona, Head of IT, Radius Health
Radius selected Risk Ledger as their first dedicated Third-Party Risk Management (TPRM) tool, with the intent of making it the "foundational" standard for assessing vendors in the future.
The decision to partner with Risk Ledger—a UK-based platform—was driven by a recommendation from a trusted vendor who was already seeing value from the tool. Radius saw an opportunity to streamline their own processes by using the same platform they were using to demonstrate their own security to clients.
According to Gerry DiBona, Head of IT at Radius, “Risk Ledger was recommended to us by one of our partners as an intuitive tool that provides us with an eicient way to assess the risk posture of our third-party suppliers at a competitive price in the TPRM space”.
By adopting Risk Ledger, Radius aims to standardize how they evaluate the security principles of their trusted vendors. In the words of Gerry DiBona, “Risk Ledger is our first TPRM tool and will become foundational to how we will assess vendors in the future. It gives us confidence and peace of mind that our trusted vendors are practicing the strong security principles that we desire and expect."
Drivers & Benefits
Better Security as a Client and a Supplier
We want to introduce Risk Ledger as a key component of all potential vendor assessments. This will help us better understand the cyber and risk posture of new vendors before working with them and therefore, help us manage our overall risk.”
Kevin Frye, IT manager—Infrastructure and Network, Radius Health
Uniquely, Radius utilizes Risk Ledger both as a client (assessing vendors) and as a supplier (demonstrating security to partners). This dual perspective has allowed them to streamline their program by treating their vendors with the same efficiency they desire from their own clients.
"At Radius, we take pride in our strong security posture. With Risk Ledger has allowed us to be able to hold our vendors and clients to the same standard, so our approach can be further streamlined," Gerry DiBona notes.
This empathy has improved vendor engagement. By using a tool that allows suppliers to ‘complete once, share with many,’ Radius has removed the administrative burden from their partners, fostering a collaborative rather than combative security culture.
Global Visibility and "Peace of Mind"
Although Radius Health is a US client, the global nature of the pharmaceutical industry meant that the "network effect" of Risk Ledger was immediately evident. Radius found that because they leverage many industry-standard suppliers in the pharmaceutical space, many of the suppliers they introduced to Risk Ledger already had a UK presence and were familiar with the network.
Collaborative Support & Early Insights
Risk Ledger is now an important part of our vendor onboarding process, allowing us to immediately and thoroughly understand their cybersecurity posture.”
Gerry DiBona, Head of IT, Radius Health
Where challenges arose—such as large vendors relying on static Trust Centers rather than dynamic profiles—Radius utilized the Risk Ledger support team to bridge the gap.
According to Kevin Frye, "the onboarding process has gone well... In instances where we had challenges, the Risk Ledger team got directly involved to partner with us on developing solutions."
While still in the early stages of adoption, Radius reports that collaboration with suppliers on the platform has already provided "valuable insights into active security issues," allowing them to build a "holistic view of our overall risk.”
Uncovering Nth-Party Risks
For Radius, the distinction between a third-party and a fourth-party is often where the real risk lies. Regulatory frameworks and internal standards demand that Radius understands exactly where their data sits—even if it is with a subcontractor of a supplier.
"It is critical for us to understand the cyber posture of our 3rd parties and how our data is stored with them and their partners," says Gerry DiBona. "In this multi-tiered model, there may be indirect risks to our data and our users if a connected vendor is compromised."
Risk Ledger’s visualization tools allow Radius to map these dependencies, identifying concentration risks where multiple vendors might rely on a single, vulnerable sub processor.
The Future
Establishing an Operational Standard
Risk Ledger gives us confidence and peace of mind that our trusted vendors are practicing the strong security principles that we desire and expect."
Gerry DiBona, Head of IT, Radius Health
Looking ahead, Radius plans to integrate Risk Ledger as a key component of all future vendor assessments. This will allow them to assess the risk posture of new vendors before working with them, shifting from reactive management to proactive selection.
As Risk Ledger expands further into the US market, Radius envisions similar collaboration opportunities with critical suppliers as those seen in the UK, helping to manage overall risk across the industry.
According to Gerry DiBona, "we expect Risk Ledger to become the operational standard when onboarding new suppliers and encourage a higher risk-based focus from other departments at Radius."
