San Francisco Health Plan: Streamlining Third-Party Risk for Community Health - Safe Security
close-icon

San Francisco Health Plan: Streamlining Third-Party Risk for Community Health

quote Icon

“We’ve seen a huge improvement in third-party risk visibility, thanks to SAFE’s dashboards. We now direct internal teams to SAFE for real-time status updates, providing visibility that didn’t exist before.”

Oliver Rebollido Oliver Rebollido

Head of IT Infrastructure & Security

Industry

Healthcare

Geography

Americas

Size & Revenue

500+ employees | $2B+ revenue


90%

Reduction in Assessment Time

80%

AI-Driven Questionnaire Completion

89%

Cost Reduction through Tool Consolidation

San Francisco Health Plan Automates TPRM and Consolidates Risk

As a healthcare organization handling PHI and PII, San Francisco Health Plan (SFHP) maintains rigorous security standards across its vendor ecosystem. However, relying on fragmented tools meant the team struggled with data silos and felt like they were always chasing vendors for documentation. After extensively testing more than 8 tools, SFHP chose the SAFE One Platform to consolidate its outside-in scanning and questionnaires. This shift transformed its TPRM program from a manual, months-long cycle into an automated, AI-driven process that provides clear decision support for over 200 vendors.

The Challenges

  • Fragmented Toolset Creating Inefficiencies: The team relied on multiple disconnected solutions for questionnaires and external scanning. This fragmentation created subjective risk assessments, as each tool produced different results and scoring mechanisms that were difficult to reconcile.
  • Time-Consuming Vendor Chasing: Vendors often took 30+ days to respond, with some assessments stretching to 150 days or more to complete. Email communication with vendors was often ignored. 
  • Limited Scalability: With a growing vendor ecosystem and only three team members, SFHP needed a solution that could scale without requiring additional headcount. The manual processes were unsustainable as their vendor portfolio expanded.

“With SAFE’s AI, we’re not just automating our processes; we’re improving the relationship with our third parties. We recently received praise from several of our vendors, commenting on how SAFE’s AI automated nearly 80% of the assessment and significantly reduced their manual work.”

Igor Portnoy, Cybersecurity Supervisor

Why SFHP Chose SAFE

AI-Powered, Unified, and Integrated 

SFHP chose SAFE One to consolidate its TPRM tech stack and automate the heavy lifting of third-party risk assessments. The platform stood out for its ability to combine outside-in scanning with AI-driven questionnaire analysis. Specifically, the SFHP team found SAFE’s AI to be far superior to other solutions on the market while reducing their costs by 89%, making it the obvious choice for them. 

The Moment of Truth

The moment of truth arrived when SFHP successfully onboarded 200 vendors and saw the AI-driven document analysis in action. Assessments that previously stalled for weeks were now being completed with minimal manual intervention. By setting a risk threshold, the team moved from subjective gut feelings to standardized, automated remediation triggers, allowing them to manage a massive vendor portfolio with a lean, efficient team.

The SAFE Solution

  • AI-Driven Document Ingestion: Leveraged SAFE’s AI to automatically analyze SOC 2 and HITRUST reports, mapping findings directly to NIST CSF controls without manual effort.
  • Continuous Outside-In Scanning: Implemented outside-in monitoring of more than 200 vendors to identify exploitable applications and vulnerabilities in real-time.
  • Automated Risk Tiering: Configured specific risk thresholds to trigger immediate notifications and remediation action plans.
  • Self-Service Reporting: Implemented dashboards to increase visibility and empower stakeholders to see real-time statuses without having to ask.