[BreachExchange] Building a Secure Vendor Relationship with Inventory, Management

Inga Goddijn inga at riskbasedsecurity.com
Fri Nov 23 09:58:24 EST 2018


https://healthitsecurity.com/news/building-a-secure-vendor-relationship-with-inventory-management

The healthcare sector has been a primary target of hackers for more than a
year, and the attacks continue to increase in sophistication. While many
providers have adjusted their security posture in attempt to shore up some
of these threats, vendor management is a vulnerability often mishandled.

In fact, to Jane Harper, Director of Privacy and Security for the Henry
Ford Health System, it’s an emerging risk that can wind up being a disaster
if not properly managed. The problem is that there’s a lot of data shared
between vendors and business associates, but often providers don’t know
what’s being shared — and with whom.

Consider some of the bigger health data breaches of the last few years
caused by vendor error. For example, a medical transcription vendor
<https://healthitsecurity.com/news/texas-health-says-3808-affected-by-healthcare-data-breach>
left
a portion of a database exposed to the internet with data from at least
2,300 providers.

In another transcriptionist case, an Orlando Orthopaedic Center
<https://healthitsecurity.com/news/19k-orlando-orthopaedic-patients-at-risk-from-lax-vendor-security>
vendor
misconfigured access to a database during a software upgrade — and waited
six months to report. The breach serves as a prime example for why vendor
management is crucial, especially when it comes to contractual obligations.

“The golden days, several years ago, when people thought of vendor
onboarding as similar to doing a transaction are over,” said Pam Hepp, a
healthcare attorney and shareholder of Buchanan, Ingersoll and Rooney.

READ MORE: Hospital Leaders Feel Underprepared for Cybersecurity Threats
<https://healthitsecurity.com/news/hospital-leaders-feel-underprepared-for-cybersecurity-threats>

“Originally, [healthcare organizations] looked at policies as they touched
the surface: They may have asked about whether the vendor had a breach, but
they didn’t do the deep dive on security,” she added. “And that’s assuming
they knew the number of vendors they had.”

As the Office for Civil Rights has ramped up enforcement efforts, the point
is being driven home that vendors are “just one more entry point into an
organization,” Hepp explained.
BUILDING A VENDOR RELATIONSHIP

One of the biggest challenges with vendor management comes with both
inventory and risk assessment. For Hepp, organizations should approach
third-party risk by treating vendor risk as they would their own
organization.

To start, organizations need to perform a risk assessment around the
vendor’s IT environment, along with the policies and procedures in place
from a privacy and security standpoint, explained Hepp. The frequency will
be determined by the size of the organization.

Larger organizations will have the resources to perform annual risk
assessments on their vendors, which will correlate with the assessment
performed on their own systems, Hepp said.

READ MORE: How to Comply with the HIPAA Breach Notification Rule
<https://healthitsecurity.com/features/how-to-comply-with-the-hipaa-breach-notification-rule>

However, inventory may just be the most critical risk area — but also the
hardest to protect. Many organizations don’t know just how much data is on
their system, let along who has access. So Hepp explained that having an
actual inventory of the access and vendor programs is critical.

“A number of health systems struggle with knowing what they have,” said
Hepp. “And there are a number of vendors that will interact with physical
systems and others don’t now if they have the same sort of privacy and
security privileges when they onboard a vendor.”

“That’s been a struggle: How to get their arms around with what [data] they
do have and vendor relationships,” she added.

Hepp also noted there are some software programs now with AI and machine
learning components that can determine what’s on a system. Some of Hepp’s
clients are using that around the inventory side of management to help
monitor activity with those devices and even vendor products – just like
they would for their own organization.

“There are some software tools to get their arms on what vendors are out
there,” she added. “It’s becoming easier in that regard, from a software
perspective to determine what’s on the system and those vendors.”

READ MORE: NJ Fines Vendor Behind Virtua Healthcare Data Breach $200K
<https://healthitsecurity.com/news/nj-fines-vendor-behind-virtua-healthcare-data-breach-200k>

And organizations “need to take steps to limit access on those systems,
just like with EHR access: It needs to be processed on accessing those
vendor portals,” she added.

“Pen testing, patch management and updates have been an issue, as well, as
some vendors want to control that,” said Hepp. Organizations should push to
the do the upgrades and patch management testing with vendor involvement.

As ransomware attacks have increased, “proper patch management is
absolutely critical in the vendor space,” she explained.

“Covered entities should be requesting copies of the vendor’s risk
assessments and evidence that they have implemented a risk management plan
(either in addition to, or perhaps for smaller organizations in lieu of
conducting their own risk assessment of the vendor),” said Hepp.
VENDOR MANAGEMENT CHECKLIST

Harper provided a third-party management checklist to simplify just how to
build a secure vendor relationship.

   1. Include the appropriate internal stakeholders
   2. Monitor post contract signature not just for SLA metrics but
   security, privacy and general risk management considerations
   3. Make sure any insurable risk related to the relationship are covered
   in insurance policies
   4. Ensure the appropriate contracts are in place before data sharing
   occurs
   5. In addition to any regulatory mandated requirements, ensure the
   contracting language and process includes:


   - Clearly defined service to be provided
   - Data protection considerations
   - Data privacy considerations
   - Data ownership consideration
   - De-identification of data if applicable
   - Data destruction, return and archival considerations
   - Right to audit
   - Appropriate use
   - Breach notification and remediation considerations
   - Credit monitoring and reporting obligations in case of breach

CONTRACTUAL CONSIDERATIONS

Prior to HHS extending HITECH obligations directly to business associates,
vendor contracts were stiff and there was little leverage. Hepp explained
that prior to HIPAA, when organizations had to consider business associate
agreements, it was merely to fill the contractual obligations for HIPAA
compliance.

The HITECH changes — which went into effect around 2009 — made it so that
business associates are now subject to enforcement under OCR. In fact, OCR
conducted Phase II audits last year with a focus on business associates,
which included conducting risk assessments and having in place a risk
management plan. Timeliness of notice of security incidents and breaches to
covered entities was also included.

“That leveled the playing field with negotiating,” said Hepp. “Originally,
vendors wouldn’t negotiated with agreements, wanting to insist on
limitation of liability and not wanting to have responsibility in this
area. But we’ve seen a shift because now they’re directly responsible from
an OCR enforcement standpoint.”

For Hepp, the critical contractual obligations lie with the limitation of
liability: this should not exist in the vendor-healthcare provider
arrangement. This means that if there is a breach, those fines can be
enforced on the liable party — vendor or the covered entity.

The costs of the breach add up, from the fines, breach notifications, risk
assessments, credit monitoring and the like. If an organization allows a
liability limitation with a vendor, it could be costly — especially when
consider remediation efforts, fines and litigation.

“Organizations will need to negotiate,” said Hepp. “There also needs to be
a strong awareness around compliance — and again keeping in mind to do due
diligence on how breach notification is handled. Typically, the providers
are going to want to control notice to their own patients.”

Hepp also noted that it’s critical that vendors have cyber insurance to
protect liability. And indemnification itself, with respect to a breach,
must also be included in the contract.

As for the red flags to avoid, Hepp said any hint to a limitation of
liability and an unwillingness to indemnify are the biggest. Another would
be that they don’t have cyber insurance.

“Obviously, those are business decisions,” she said. “They are legal
provisions, and an organization will need to decide on whether they still
want to do business. But at the end of the day, it becomes a business
decision.”

“If [the vendor] is not willing to stand behind their own negligence or
breaches/incident that would be a red flag,” Hepp added. “They need to
stand behind their own performance.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181123/753fec6b/attachment.html>


More information about the BreachExchange mailing list