As part of Penn Medicine, the Perelman School of Medicine follows the Penn Medicine process for evaluating third party risk. This is in place of the University's V-Star process. This is required even if the purchase is made through the University of Pennsylvania procurement organization with funds recorded in the University of Pennsylvania's financial systems.

All initiatives that involve third parties (existing or new), must be entered in the third party management system via the Third Party/Product Intake Form.

Third parties include, but aren’t limited to:

• Vendors that store and/or transmit data from any of Penn Medicine’s entities or departments (inclusive of departments, centers, and institutes within the Perelman School of Medicine) in a third party-managed cloud environment

• Vendors that store and/or transmit data from any of Penn Medicine’s entities or departments (inclusive of departments, centers, and institutes within the Perelman School of Medicine) in a third party-managed data center

• Vendors that require a network connection to any Penn Medicine’s entities or departments (inclusive of departments, centers, and institutes within the Perelman School of Medicine)

• Vendors that provide Medical Devices

• Vendors that provide Hardware or Non-Medical Devices, including equipment intended for research and education purposes

• Vendors that provide Enterprise Business Software or Mobile Applications

• Consulting Firms that provide a service or support an application

• Resellers

Please submit your requests via the Third Party/Product Intake Form. The Penn Medicine Cybersecurity Global Risk and Compliance team will evaluate each request to determine if further engagement with the vendor is required. Should the Global Risk and Compliance team require additional information to complete the assessment, they will reach out to the third party as needed.

The results of the assessment should be provided to your procurement contacts.