Third-party remote access and fourth-party risk: are controls keeping up?

TL;DR: Third-party and fourth-party access often becomes a blind spot because organisations cannot consistently see what vendors touch, when they touch it, or whether their own controls extend downstream, according to Imprivata. The governance gap is not remote access itself, but the lack of lifecycle control, auditability, and minimum necessary access across the vendor chain.

NHIMG editorial — based on content published by Imprivata: third-party remote access risks and best practices for mitigating them

By the numbers:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

Questions worth separating out

Q: How should security teams govern third-party remote access in practice?

A: Treat third-party remote access as a governed identity path, not a networking exception.

Q: Why do fourth-party vendors increase access risk so quickly?

A: Fourth-party relationships extend your trust boundary beyond the supplier you contract with.

Q: What breaks when vendor access is broader than the business purpose?

A: Least privilege stops working as a meaningful control when vendor connectivity is broad enough to outstrip the task being performed.

Practitioner guidance

• Build a third-party risk map Map systems, data flows, and external touchpoints so you can identify which vendor relationships need deeper assessment, tighter controls, and stronger evidence collection.
• Set pass-through contractual obligations Require vendors to flow security requirements down to their own suppliers, including audit rights, limitation of liability, and indemnity clauses that reflect downstream exposure.
• Move vendor access beyond VPN dependence Use purpose-driven, time-bound access patterns with minimum necessary permissions instead of broad remote connectivity that cannot be linked cleanly to business need.

What's in the full article

Imprivata's full blog covers the operational detail this post intentionally leaves for the source:

• The full eight-step vendor access checklist, including due diligence, contractual clauses, and offboarding practices.
• Practical guidance on documenting compliance obligations and setting pass-through requirements for fourth parties.
• Operational detail on access audits, session traceability, and how to align expiration dates with contract timelines.
• The vendor's perspective on purpose-driven remote access controls beyond VPN-based connectivity.

👉 Read Imprivata's analysis of third-party and fourth-party remote access risk →

Third-party remote access and fourth-party risk: are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →