[BreachExchange] Assessing Vendor Risk for Stronger Health Data Security

Tue Jul 19 10:40:12 EDT 2016

http://healthitsecurity.com/news/assessing-vendor-risk-for-stronger-health-data-security

Whether a healthcare organization hires vendors to process customer
payments, store HR data in the cloud or run the IT help desk, you extend
your overall cyber risk environment to that of your third party providers.
Too often, healthcare decision-makers assume that their vendors’ health
data security controls match theirs.

Or, healthcare organization leaders assume that they can rely upon
cybersecurity technology solutions to monitor vendor risk. But, that would
be a mistake.

Look no further than the Anthem Healthcare and Excellus Blue Cross Blue
Shield breaches – both triggered by compromises on the part of third-party
vendors – for proof that you’re only as strong as the weakest link in your
chain.

These incidents underscore a broader issue which demands more attention
from healthcare leaders.

Just 41 percent of organizations indicate that their vendors’ data
safeguards and security policies/procedures can sufficiently respond to a
breach, according to survey research from the Ponemon Institute. Only 35
percent of survey participants said their organization conducts a frequent
review of vendor management policies to ensure they address third-party
risk. Even more alarming, 73 percent do not believe a vendor would notify
them if the vendor experienced a data breach.

So, should we conclude that the inheriting of your third-party partners’
vulnerabilities amounts to simply “the cost of doing business?”

Unfortunately, too many healthcare organizations have convinced themselves
that this is, indeed, the case. But, it doesn’t have to be.

Business associate agreements and cyber risk

Through a carefully conceived and executed vendor risk management program,
organizations can minimize exposure to data loss/theft while still pursuing
productive partnerships. Because of regulatory mandates brought forth by
legislation such as HIPAA, healthcare leaders have increased their
awareness and scrutiny of vendors with business associate agreement
considerations.

Specifically, they need to verify to their boards that their partners are
complying with the same laws which apply to their organization.

But, to elevate your cyber risk posture in a meaningful way, you must go
beyond the “check the boxes” approach encouraged by regulatory compliance.

Instead, you have to develop “true risk” profiles of your vendors – the
first step in the implementation of a cohesive, holistic vendor risk
management program that ensures these relationships won’t increase your
risk level. Such a program aligns risk management to strategic goals,
maintaining a firm hand over your vendors’ security assuredness while still
deriving the same – or better – value-generating outcomes.

For starters, you conduct a thorough classification of all vendors to
determine their level of inherent risk. You create a true risk profile that
is measurable, one that you can assign a “score” to.

After scoring, you sort out lower-risk partners from higher-risk ones.
Then, you turn your attention to the latter, where on-site
audits/assessments can be used to evaluate the controls in place to protect
your sensitive data. The audits should explore inquiries such as these:

What does the vendor supply – cloud-hosted software? Data center support?
Tech consulting?
What kind and how much of our data does the vendor store?
What would be the business impact of the loss or compromise of this data?
Where is the data stored physically?
Does the vendor use our computers, devices, hardware, software, etc., or
its own?

These inquiries are intended to improve your high-risk partners’ practices
so you can eventually document that their data safeguards are operating
effectively and they meet your standards, or that any shortcomings are
correctable over a brief period of time.

You should consider the true risk profile as a continuous effort, because
vendor relationships evolve. Service agreements will expand, so your
assessment capabilities must scale accordingly.

You have to constantly monitor these partnerships as terms and deliverables
change, to ensure your due diligence stays up-to-date. This doesn’t apply
strictly to the vendors who “score high” on risk. Those who come out with
strong grades should be subject to continuous evaluation as well – perhaps
in the form of a written, follow-up questionnaire, as opposed to an onsite
visit.

In either case, you continue to score with residual risk ratings, so your
organization maintains total awareness of its entire vendor risk posture at
all times. If a high-risk vendor fails to improve upon its score, then you
must sever the agreement while strategically aligning with vendors that
have earned lower risk ratings. This creates value by minimizing the risk
of breaches and data loss, as well as eliminating costly and time-consuming
remediation and monitoring efforts that come with higher-risk vendors.

In the modern age, you can’t gain competitive edge without good third-party
partners. They deliver on essential needs while your organization focuses
on its core competencies/mission.

But, as global market and technology trends seemingly shift with greater
velocity every day, you can’t afford to overlook risk management because
“it gets in the way of business.”

Thanks to a fully realized true risk profile program, you’ll avoid this
scenario entirely. You’ll know which vendors carry the most risk and which
pose the least, and expand relationships with the latter while distancing
your organization from the former.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160719/359400f6/attachment.html>