Orlando Health Doubles VRM Efficiency and Reduces Risk with Perimeter
November 4, 2025
Orlando Health:
Regional health care provider
6,000+ vendors
Solution:
Perimeter VRM
Results:
- 50% reduction in manual effort
- 50% reduction in assessment duration
- Faster vendor onboarding
- Continuous risk visibility and response
- Cost savings and workforce efficiency
“With Perimeter, our small VRM team can efficiently manage an ever-growing number of vendors while maintaining tight control over vendor risk.”
- Derrick Lowe, CSO at Orlando Health
Orlando Health is a private, not-for-profit network of community and specialty hospitals serving communities across Florida, Puerto Rico, and Alabama. Operating for over a century, Orlando Health is Central Florida’s fourth largest employer with nearly 41,000 employees and 5,750+ affiliated physicians across 105+ specialities.
The company manages over $14 billion in assets through its investment arm and is growing rapidly, expanding from eight hospitals to twenty-six in just six years.
The Challenge: A Cumbersome and Unscalable VRM Process
When Derrick Lowe, Orlando Health’s Chief Security Officer, joined the company six years ago, the Vendor Risk Management (VRM) process was largely manual.
The company’s GRC team relied on spreadsheets and long questionnaires to evaluate vendor security across domains, including encryption, data protection, access control, and risk posture. Each assessment took four to six weeks to complete, consuming hours of analyst time and delaying the vendor onboarding process.
“We were trying to support a rapidly growing business with tools that didn’t scale,” Lowe recalls. “Processes that had functioned when the company was smaller were no longer sustainable as the number of vendors we needed to assess grew rapidly.”
And scalability was only half of the challenge. Alongside the need for faster and less burdensome processes, Lowe concluded that Orlando Health could no longer simply accept questionnaire responses provided by vendors. They needed a way to verify responses via external scanning and risk scoring. Initially, this was achieved using a popular exposure management tool.
“The first tool we chose did a reasonable job of detecting a vendor’s vulnerabilities, exposed databases, and so on,” explains Lowe. “However, it didn’t automate the full VRM lifecycle, so the team was still doing a lot of manual work. The tool served a purpose at the time, but it didn’t provide the agility, automation, and scalability we really needed.”
To support its rapid growth, Orlando Health needed to modernize its entire VRM lifecycle while retaining its ability to verify vendor responses while significantly reducing assessment turnaround times and manual burden for the VRM team.
Crunch Time: Rapid Growth, Rising Risk
As Orlando Health expanded, its number of vendors soared to 6,000+ and growing. As a result, the GRC team was completing ~450 assessments per year, comprising both new and existing vendors. On top of this, the team had to investigate any existing vendor that experienced a breach to determine (or rule out) any impact on Orlando Health.
All of this represented a substantial investment of manual effort that could not be sustained without significantly increasing headcount. Added to the vendor onboarding delays caused by four to six week turnaround times for the assessment process, it was time to identify a better and more scalable solution.
“We had reached a point where manual processes were no longer sustainable,” states Lowe. “We needed to retain our ability to verify vendor responses, but with significantly less manual effort and much faster turnaround times.”
Ready for Painless VRM?
See how Perimeter delivers painless VRM for healthcare.
The Solution: Orlando Health Chooses Perimeter
Orlando Health’s venture arm, which invests in high-impact technology companies, introduced the GRC team to Perimeter, an end-to-end VRM platform.
Perimeter automates the entire VRM lifecycle, replacing manual processes with a fully automated risk management program that scales seamlessly. It delivers in the four areas most critical to Orlando Health:
- The company can manage its full VRM lifecycle in one place, including onboarding, assessment, monitoring, remediation, and reporting.
- The VRM team can build and automate workflows, eliminating the need for manual communications and chasing.
- Perimeter verifies vendor responses by scanning each vendor’s attack surface and validating their responses against billions of real-time data points.
- Continuous real-time monitoring of each vendor’s attack surface means the team will always know immediately when a vendor’s security posture changes.
When we say real-time, we mean real-time
One challenge Orlando Health had experienced with its original scanning tool was the lack of real-time validation of changes in a vendor’s security posture. For instance, a vendor may have resolved an issue following an assessment, but the tool took 48-72 hours to reflect the change, making it difficult for the GRC team to confirm. Perimeter monitors vendors continuously and reflects all changes immediately, removing this issue.
Orlando Health projected cost avoidance with Perimeter’s Unlimited tier while scaling assessments – keeping focus on outcomes and capability.
After a thorough evaluation, Perimeter was selected as a complete solution for Orlando Health’s VRM program, replacing the existing scanning tool and manual in-house systems.
“As a healthcare organization, we needed a tool that would significantly improve our VRM program’s efficiency without compromising on risk management,” says Lowe. “With Perimeter, that’s what we got, and with a pricing structure that remains fair and affordable as we grow.”
Book A Demo
See how Perimeter delivers painless VRM for healthcare.
Implementation and Time to Value
Onboarding was a collaborative process between Perimeter and Orlando Health’s GRC team. The platform was operational quickly, requiring minor customization to align with internal processes.
“The flexibility was a pleasant surprise,” Lowe recalls. “A lot of vendors aren’t willing to adapt their systems to fit a customer’s processes. Perimeter was very accommodating and made some tweaks to ensure our workflows ran smoothly. The implementation was turned around quickly, and the full solution was operational in a matter of days.”
Immediately, the team saw measurable results.
Results: Faster, Smarter, and More Scalable VRM
| Metric | Before | With Perimeter | Improvement |
| Assessment turnaround time | 4–6 weeks | 2–4 weeks | 50% |
| Analyst effort per assessment | ~180 minutes | ~90 minutes | 50% |
Perimeter replaced Orlando Health’s cumbersome manual processes with a flexible, fully automated, scalable VRM program. The solution delivers genuine risk management by validating all vendor responses with attack surface monitoring and reflecting all security posture changes (positive and negative) in real-time.
Key outcomes for Orlando Health included:
- Cost avoidance. Perimeter eliminated the need to hire additional FTEs despite significant vendor growth.
- Faster vendor onboarding. Faster assessments have removed delays to legal, contracts, and procurement processes, allowing the company to onboard new vendors more quickly.
- Real-time risk management. Continuous monitoring and real-time scoring enable the VRM team to manage changing risk, issue discretionary assessments, and validate responses.
“Perimeter has represented a huge step forward for VRM at Orlando Health,” says Lowe. “We’re more efficient, we’re managing risk more effectively, and we’re getting a lot more done without increasing headcount, even as we continue to scale.”
Beyond Compliance: Continuous Monitoring and Risk Response
Cybersecurity is one of Orlando Health’s top four enterprise risk categories. Consequently, VRM is not a box-ticking exercise. It’s a serious risk management program, reflecting the company’s commitment to protecting patient data and well-being. As CSO, Lowe can deny partnerships with vendors that exceed risk tolerance.
“VRM is about more than compliance,” says Lowe. “It’s our duty to ensure we manage vendor risk responsibly, and that requires constant monitoring and response. The sooner we know about an issue, the better we can address it. Perimeter helps us do precisely that, and in certain cases, it helps us identify vendors we shouldn’t be working with.”
Perimeter’s real-time scanning and alerting are now embedded in Orlando Health’s VRM operations. When a partner organization experiences a breach or security posture change, the GRC team is notified and can launch a discretionary assessment.
“We see a couple of vendor breaches every week,” Lowe explains. “With Perimeter, we can rule out impact very quickly. And if we need to take further steps like issuing a discretionary assessment, requesting changes, and validating a vendor’s response, the entire process is fast, painless, and updated immediately inside the platform.”
“With Perimeter, our small VRM team can efficiently manage an ever-growing number of vendors while maintaining tight control over vendor risk. This is precisely what we need to keep our patients safe as Orlando Health continues to grow.”
Ready for Painless VRM?
Onboarding included. Go live in as little as five days.
Looking to Enhance your TPRM Program?
Get in touch with a Perimeter third-party risk expert today to discuss how the latest innovations in attack surface monitoring and AI can help you more effectively manage your vendor risks.
"*" indicates required fields
