CORL Dodging Breaches from Dodgy Vendors

Transcription

1 CORL Dodging Breaches from Dodgy Vendors Tackling Vendor Security Risk Management in Healthcare

2 Introductions Cliff Baker 20 Years of Healthcare Security experience PricewaterhouseCoopers, HITRUST, Meditology Focused exclusively on healthcare, in the area of security compliance and vendor risk management.

3 The Unlocked Backdoor to Healthcare Data Majority of healthcare vendors lack minimum security practices, well short of HIPAA standards Healthcare organizations are often unaware of how many of their vendors have access to protected health information There are an overwhelming number of small and niche healthcare vendors for organizations to manage Healthcare organizations do little to gain assurances or enforce security requirements for vendors Target CEO, CIO resign after massive breach caused by vendor

4 Vendor Risk Management versus Vendor Security Risk Management Vendor Risk Management (VRM) typically focuses on elements such as financial risk, legal risk, supply chain risk, etc. VRM is not focused on information security risk and does little to tell you about a vendor s ability to protect your confidential information. Vendor Security Risk Management (VSRM) service fills this gap with an objective security analysis of existing and prospective vendors. A robust VSRM provides organizations with a level of confidence in the ability of a vendor to protect their confidential information.

5 What is the exposure? Breach Risk Regulatory Risk Financial Risk Many vendors of your vendors have inadequate controls Cannot transfer notification and breach response risk Limited reasonable & appropriate assurance / willful neglect Vendors are inconsistently and infrequently assessed 50% or more of vendors do not have financial capability to handle breach notification Customer incurs brunt of financial and reputational impact

6 Org. resources cannot keep up Identify Vendor Contact Provide guidance to Business Negotiate with the Vendor Send and Explain Survey Validate the Responses Monitor Vendor Progress Review Response Follow-up for Clarification

7 Example Vendor Profiles with access to PHI Technology companies Business Services Clinical Technology Clinical services Enterprise Software EHR Portals Financial Hardware Network Servers Mobile Outsource Hosting Data storage Legal Audit Compliance Consulting Staff Aug. Debt Collection Business analytics Paper storage ECG Data Management ICU Management Population Health Quality Management Controlled Substance Management Systems Image Exchange Surgery Management Patient Engagement Anesthesia Cardiology Laboratory Pharmacy Food service Patient transport Blood & Tissue Transcription Health Information Exchange Home Health Imaging Pharmacy Registries Release of Information Decision Support Prescription Analytics Disease Management Laboratory Long-Term Care Medical Supplies Mental and Addiction Retirement and Disability Medical Supplies Many # of Vendors Few

8 Vendor Scenarios Scenario A The vendor product is on the Org. network (there is no vendor support). Scenario B The vendor product is on Org. network and is supported remotely by the vendor. Scenario C The vendor provides services by connecting remotely to the Org. network (e.g., medical coding) Scenario D Professional services/contractors (e.g., on-site, consulting, maintenance) with on-site access to Org. network Scenario E Org. sends data to vendor. Scenario F Cloud vendor provider.

9 Existing vendor security programs have significant blind spots Most healthcare organizations focus due diligence on their largest vendors BUT Healthcare Organization s Vendor Breakdown by Size VL 21% L 21% Breach data shows that over half of breaches are attributed to smaller companies S M L VL S 34% M 24% Smaller firms are also often attacked in attempt to get to bigger firms. The Washington Post

10 Vendors are not protecting healthcare data Vendor Score Definitions Vendor Score Breakdown A - High confidence that vendor demonstrates a strong culture of security B - Moderate confidence that vendor demonstrates a culture of security C - Indeterminate confidence that vendor demonstrates a culture of security D - Lack of confidence based on demonstrated weaknesses with vendor s culture of security F - No confidence in vendor s ability to protect information D- 24% D+ 8% F 8% A 1% A+ 3% B 7% D 26% B- 3% B+ 6% C+ 5% C 8% C- 1%

11 Understanding Risk F Different types of vendor organizations require different strategies VSRM programs adapt risk strategies to the size and capabilities of the vendor s organization 30 F F F 20 D D D D C 10 C C B B 0 C A B B A S M L VL S , M , L , VL

12 Healthcare organizations are not holding vendors accountable for meeting minimum acceptable security standards Security Certifications Security certifications provide third party validation of security practices Examples for the industry include: HITRUST AICPA SOC 2 and 3 reports ISO FedRAMP Important for organizations to understand the scope and baseline criteria used for certifications Yes 32% No 68%

13 Resource constraints with traditional approaches produce minimal results Identify Risky Vendors Review Vendor Questionnaire Response Validate Questionnaire Response Perform Audit Risk Strategy (improve security practices, insurance, limit access, accept, no additional business) 15-20% of vendors

14 Resources by the Numbers Process = 3-5 days/vendor Process = $1,500- $2,000/ Vendor Process = / Vendors / FTE Process = / Organization Process = 7-10 FTEs / Organization

15 15 Life-cycle capabilities existing methods Understand Risk Manage Risk Apply Risk Monitor Risk

16 Assurance from vendors that access PHI Typical Health Org Profile 16 Managing Risk Total Vendors 1%4% 5% 15% No understanding of risk 75% New Contracts Existing vendors with a recent assessment Existing vendors with no assessment Contract Renewals Existing vendors with an outdated assessment

17 17 Life-cycle capabilities Understand Risk Manage Risk Apply Risk Monitor Risk

18 18 Life-cycle capabilities (Yr2) Understand Risk Manage Risk Apply Risk Strategy Monitor Risk

19 19 Life-cycle capabilities (Yr3) Understand Risk Manage Risk Apply Risk Strategy Monitor Risk

20 20 Example Vendor Profiles with access to PHI Technology companies Business Services Clinical Technology Clinical services Enterprise Software EHR Portals Financial Hardware Network Servers Mobile Outsource Hosting Data storage Legal Audit Compliance Consulting Staff Aug. Debt Collection Business analytics Paper storage ECG Data Management ICU Management Population Health Quality Management Controlled Substance Management Systems Image Exchange Surgery Management Patient Engagement Anesthesia Cardiology Laboratory Pharmacy Food service Patient transport Blood & Tissue Transcription Health Information Exchange Home Health Imaging Pharmacy Registries Release of Information Decision Support Prescription Analytics Disease Management Laboratory Long-Term Care Medical Supplies Mental and Addiction Retirement and Disability Medical Supplies Many # of Vendors Few

21 21 Example Vendor Profiles with access to PHI Technology companies Business Services Clinical Technology Clinical services Enterprise Software EHR Portals Financial Hardware Network Servers Mobile Outsource Hosting Data storage Legal Audit Compliance Consulting Staff Aug. Debt Collection Business analytics Paper storage ECG Data Management ICU Management Population Health Quality Management Controlled Substance Management Systems Image Exchange Surgery Management Patient Engagement Anesthesia Cardiology Laboratory Pharmacy Food service Patient transport Blood & Tissue Transcription Health Information Exchange Home Health Imaging Pharmacy Registries Release of Information Decision Support Prescription Analytics Disease Management Laboratory Long-Term Care Medical Supplies Mental and Addiction Retirement and Disability Medical Supplies Managing Risk No Risk Strategy

22 22 Comprehensive Lifecycle Approach Profile Risk Monitor Risk Fundamental Components Understand Risk Manage Risk

23 23 Fundamental Practices Clear Objectives Leadership Reporting Negotiation Objectives Clearly established goals and objectives for the VSRM program Consistent communication plan/process to inform leadership of vendor risk exposure Clearly defined outcomes and options Vendor Communication Processes for the consistent and clear communication of expectations Stakeholder Collaboration Communication among key stakeholders to provide insight into current and upcoming vendor products, risk exposure, and scheduled audits. Risk Model Model to consistently assess, prioritize and measure vendor risk Tools Tools to support data gathering, analysis, reporting and process workflow. People Clear accountability and responsibility for vendor security risk management

24 24 Risk Model Providing the same focus and management for all vendors is not practical from a resource, cost and organizational perspective. A risk model for vendor security will enable an organization to methodically prioritize and focus resources on vendors that present the highest risk to the organization. Vendor Security Risk is a function of the likelihood that a vendor will experience a breach and the impact of that breach on the organization. Determining Likelihood The factors that increase the likelihood of a vendor breach are based on some inherent characteristics of the company (e.g., size and geographic scope), and, more importantly, the robustness of their security program. The following are criteria that should be considered in determining likelihood of risk. Control Environment 1. Presence of a security program 2. Presence of key security controls 3. Quality of Security Team 4. Quality of Security Leadership 5. Breach History 6. Data at Rest Security 7. Subcontractors Inherent Characteristics 1. Business Description 2. Size 3. Geographic Scope 4. Year Founded 5. Industry Sectors 6. Annual Sales 7. Client Industry(s) Serviced 8. Data Processed/Stored 9. Experience with Org

25 25 Profile Identify Vendors Comprehensive source of vendors with access to Org. network or data. Profile Vendors (Risk Rank) Classification of vendors based on their impact and likelihood.

26 Initial Risk Profile Method for profiling and prioritizing vendor security risk Leveraging sophisticated data analytics and industry research Based on standards based methodologies

27 27 Understand Risk Gather Information Routine processes to collect valuable data for making risk management decisions. Validate Information Consistent process to gain reasonable assurance about the control environment. Analyze Risk Consistent process to gain reasonable assurance about the control environment.

28 28 Breach Risk versus Security Program Maturity HIGH Breach Risk MED LOW Ad-hoc / informal Security Policies, Procedures, Tech Controls Policies, Procedures, Tech Controls for Key Controls Security Leadership & Capable Resources Security Program Executive led information protection programs Security Program Maturity

29 29 Breach Risk versus Assurance Options HIGH Breach Risk MED LOW Contractual Obligations Vendor attestation of Controls 3rd Party Verification of Key Controls Customer Verification of Key Controls Periodic 3rd Party Certification of Vendor s Security Program Periodic Customer Verification of Security Program Continuous Monitoring of Vendor's Security Program Vendor Security Assurance

30 30 Assurance Costs versus Assurance Options HIGH Assurance Cost MED LOW Contractual Obligations Vendor attestation of Controls 3rd Party Verification of Key Controls Customer Verification of Key Controls Periodic 3rd Party Certification of Vendor s Security Program Periodic Customer verification of Security Program Continuous Monitoring of Vendor's Security Program Vendor Security Assurance

31 31 Breach Risk versus Assurance Costs versus Assurance Options HIGH Breach Risk & Assurance Cost MED LOW Contractual Obligations Vendor attestation of Controls 3rd Party Verification of Key Controls Customer Verification of Key Controls Periodic 3rd Party Verification of Vendor s Security Program Periodic Customer Verification of Security Program Continuous Monitoring of Vendor's Security Program Vendor Security Assurance

32 32 Risk Strategy Define Risk Strategy Options Analyze the vendor risk to determine the appropriate action needed to reduce potential impact. Communicate and Negotiate with Vendor Process to communicate with vendors when contractual terms are not met. Implement Strategy Execution of appropriate action when vendors consistently fail to meet contractual terms.

33 33 Risk Strategies OVERALL VENDOR SECURITY RISK Vendor Implements Security Controls AVOID RISK Contract Terms Vendor carrying Cyber-risk insurance Only allow inhouse implemented solution Temporarily accepting risk and tracking a RAF Terminate the Contract

34 Residual Risk Profile Management Reports Clear vision of vendor security risk management objectives Executive level communication Program effectiveness

35 35 Monitoring Tracking and Reporting Vendor Progress Process to inspect vendor progress over time and report details to leadership. Identifying Changes in Vendor Risk Examine vendor compliance progress and determine if vendor s overall risk has improved or deteriorated.

36 On-going Monitoring Many organizations rarely revisit their initial vendor assessments to determine if the risk profile has improved or deteriorated An organizations should provide a mechanism for on-going monitoring and updates of vendor risk profiles The VSRM function should notify the organization of events, such as breaches or expiration of a security certification Community Input Report Updates Alerts

37 CORL VSRM Corl s Vendor Security Risk Management (VSRM) service combines risk intelligence with responsibly shared input from the community to help you manage vendor risk. Meaningful input responsibly shared by peers. Continuous & proactive monitoring by data analytics engine & research analysts Research analysts supported by off-shore resources provide scalable and on-demand managed services Innovative scoring & intelligence reporting

38 CORL is engineered to deliver information for risk strategies as efficiently as possible 38 Corl Initial Risk Profile Review Vendor Questionnaire Response Corl Scores Validate Questionnaire Response Perform Audit Risk Strategy (improve security practices, insurance, limit access, accept, no additional business) 80+% of vendors

39 Thank You Cliff Baker CEO, CORL Technologies