Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress
Healthcare and Security "Information Security is simply a personal commitment to take very seriously the responsibility to uphold the trust that patients placed on us when sharing their most intimate information during the most vulnerable moments of their lives." - Fernando Pedroza, Information Security Officer, University of Colorado Health 3 #ISC2Congress
The Unlocked Backdoor to Healthcare Data» Majority of healthcare vendors lack minimum security practices, well short of HIPAA standards» Healthcare organizations are often unaware of how many of their vendors have access to protected health information» There are an overwhelming number of small and niche healthcare vendors for organizations to manage» Healthcare organizations do little to gain assurances or enforce security requirements for vendors Target CEO, CIO resign after massive breach caused by vendor 4 #ISC2Congress
Vendor Risk Management versus Vendor Security Risk Management» Vendor Risk Management (VRM) typically focuses on elements such as financial risk, legal risk, supply chain risk, etc.» Vendor Security Risk Management (VSRM) services fill this gap with an objective security analysis of existing and prospective vendors.» VRM is not focused on information security risk and does little to tell you about a vendor s ability to protect your confidential information.» VSRM services can provide organizations with a level of confidence in the ability of a vendor to protect their confidential information. 5 #ISC2Congress
Why a Strong VSRM Program is Important Ponemon Institute Report March 2014 Third-party snafus are attributed for 41 percent of breaches PwC 2013 Global State of Information Security Survey Over the past three years, the number of security incidents at companies attributed to partners and vendors has risen increasing from 20% in 2010 to 28% in 2012 Trustwave 2012 Global Security Report 76% of data breaches analyzed by TrustWave resulted from a third-party which introduced the security deficiencies that were ultimately exploited 6 #ISC2Congress
What is the exposure? 50% or more of your vendors have inadequate controls Covered entity on the hook for HHS & Patient notification Vendors are inconsistently and infrequently assessed Compliance exposure and willful neglect of vendor risk 50% or more of vendors do not have financial capability to handle breach notification Covered entity incurs brunt of financial and reputational impact 7 #ISC2Congress
Current State All data references from Corl Technologies Healthcare Vendor Security Report Strengthening Cybersecurity Defenders #ISC2Congress
An average hospital s data is accessible by hundreds to thousands of vendors providing a wide range of services Business Services (e.g., legal, accounting, data destruction) Business Services - Revenue Cycle (e.g., billing, collections) Business Services - Business Process Outsourcing (e.g., marketing, coding, transcription) Claims Processing Consulting Healthcare Processes Consulting IT & Security Educational Healthcare Technologies Industry Trade Groups Medical Devices Medical Supplies Clinical support services Network Development & Management Security Software Hosting services 9 #ISC2Congress
Existing vendor security programs have significant blind spots Most healthcare organizations focus due diligence on their largest vendors BUT Healthcare Organization s Vendor Breakdown by Size VL 21% L 21% Breach data shows that over half of breaches are attributed to smaller companies S. 1-100 M. 101-1000 L. 1001-10000 VL. 10001+ S 34% M 24% Smaller firms are also often attacked in attempt to get to bigger firms. The Washington Post 10 #ISC2Congress
Vendors are not protecting healthcare data Vendor Score Definitions Vendor Score Breakdown A - High confidence that vendor demonstrates a strong culture of security B - Moderate confidence that vendor demonstrates a culture of security C - Indeterminate confidence that vendor demonstrates a culture of security D - Lack of confidence based on demonstrated weaknesses with vendor s culture of security F - No confidence in vendor s ability to protect information D- 24% D+ 8% F 8% A 1% A+ 3% B 7% D 26% B- 3% B+ 6% C+ 5% C 8% C- 1% 11 #ISC2Congress
Understanding Risk 60 50 40 F Different types of vendor organizations require different strategies VSRM programs adapt risk strategies to the size and capabilities of the vendor s organization 30 F F F 20 D D D D C 10 C C B B 0 C A B B A S M L VL S. 1-100, M. 101-1000, L. 1001-10000, VL. 10001+ 12 #ISC2Congress
Healthcare organizations are not holding vendors accountable for meeting minimum acceptable security standards» Security certifications provide third party validation of security practices» Examples for the industry include: HITRUST AICPA SOC 2 and 3 reports ISO 27001 FedRAMP» Important for organizations to understand the scope and baseline criteria used for certifications Security Certifications Yes 32% No 68% 13 #ISC2Congress
Fundamentals Strengthening Cybersecurity Defenders #ISC2Congress
Common Vendor Security Program Weaknesses» Leadership communication Difficultly to accurately communicate risk exposure to leadership Communication is inconsistent» Vendor communication Communication is sporadic, inconsistent and unclear 15 #ISC2Congress
Why are there weaknesses?» Seeing the forest for the trees Too busy gathering data leaves limited time for risk management. Unclear objectives for vendor security risk management check the box compliance or true reduction of risk? Lack of executive level reporting. 16 #ISC2Congress
Why are there weaknesses (cont.)?» Data gathering is not aligned with objectives Data does not support risk management decision making. Data transfers risk from the vendor to your organization! Data is gathered at a point-in-time. Data is not adequately verified, and could be unreliable or untrue.» Overwhelming volume Resource capacity cannot meet existing requirements. Vendors in healthcare, on average, score poorly on security risk measures. More due diligence is often required. Lack of cooperation from vendors Time consuming and unproductive to continually follow up with non-responsive vendors. 17 #ISC2Congress
Breach Risk versus Security Program Maturity HIGH Mature security program = security controls that will reliably protect data over the long term Breach Risk MED LOW Ad-hoc / informal Security Policies, Procedures, Tech Controls Policies, Procedures, Tech Controls for Key Controls Security Leadership & Capable Resources Security Program Executive led information protection programs Security Program Maturity 18 #ISC2Congress
Understanding Risk versus Assurance Options High level of understanding Understanding Risk Limited level of understanding Contractual Obligations Vendor attestation of Controls 3rd Party Verification of Key Controls Customer Verification of Key Controls Periodic 3rd Party Certification of Vendor s Security Program Periodic Customer Verification of Security Program Continuous Monitoring of Vendor's Security Program Vendor Security Assurance 19 #ISC2Congress
Assurance Costs versus Assurance Options Assurance Cost HIGH MED Requiring certifications is the most efficient approach to validating effective vendor security programs over time LOW Contractual Obligations Vendor attestation of Controls 3rd Party Verification of Key Controls Customer Verification of Key Controls Periodic 3rd Party Certification of Vendor s Security Program Vendor Security Assurance Periodic Customer verification of Security Program Continuous Monitoring of Vendor's Security Program 20 #ISC2Congress
Assurance Value versus Assurance Cost 21 HIGH Level of Assurance Assurance Value & Assurance Cost MED Lowest Cost LOW Contractual Obligations Vendor attestation of Controls 3rd Party Verification of Key Controls Customer Verification of Key Controls Periodic 3rd Party Verification of Vendor s Security Program Periodic Customer Verification of Security Program Continuous Monitoring of Vendor's Security Program Vendor Security Assurance 21 #ISC2Congress
Complete VSRM Program Strengthening Cybersecurity Defenders #ISC2Congress
Life-cycle capabilities 1. Profile 4. Monitoring 2. Due Diligence 3. Apply Risk Strategy 23 #ISC2Congress
Life-cycle capabilities 1.1 Identify Vendors 4.1 Define Vendor Monitoring Strategy Low level monitoring Med level monitoring High level monitoring Yes New Vendor? No 4.2 Select Vendor Monitoring Strategy 4.3 Review Vendor Monitoring Strategy Does monitoring strategy need to be updated? No Yes 1. Profile PHI Last 12 Months Spend Bus Description Name Company Size Company Age Risk of Fin l Failure Existence Absence Offshore Operations 1.2 Request Vendor List 1.3 Analyze Vendor Exposure Likelihood 1.4 Analyze Potential Breach Impact 1.5 Generate Vendor Risk Profile 1.6 PHI Only Request Vendor Spend RFP List Bus. Description Name 1.7 Run Corl Score Yes No Contract with End Vendor(s)? 4.5 Enforce Vendor Monitoring Strategy 1.8 Select Vendors for Due Diligence 1.0 Profile Vendors based on updated information 2.0 Due Diligence 4. Monitoring 2. Due Diligence Age 1.5.1 Size Identify Generalized Fin l risk Risk Parameter Off-shore OPS 1.5.3 Identify Spend Potential Breach Sector Impact 1.5.6.1 Create Initial Vendor Risk Profile 2.1 Evaluate Vendor Risk Understand Risk? Yes 3.0 Apply Risk Strategy No 1.5.2 Calculate Generalized Vendor Risk 1.5.6 Generate Initial Vendor Risk Map Known Vendor Security Concerns? No 1.5.5 Update Potential Impact Score Yes 1.5.4 Document Known Security Concerns 1.5.6.2 Review Vendor Risk Profile Are there refinements to make? No 1.5.6.4 Generate Initial Vendor Risk Map Yes 1.5.6.3 Update Vendor Data 3. Apply Risk Strategy Internal resources External resources Internal resources External resources 2.2 Request Corl Report 2.3 Issue Vendor Security Questionnaire 2.4 Conduct Desk Audit 2.5 Conduct On-site Audit Yes Yes Yes Is more information required to satisfy due diligence? Is more information required to satisfy due diligence? Is more information required to satisfy due diligence? No No No 24 #ISC2Congress
1. Vendor Profiling OBJECTIVE» To quickly and efficiently identify high risk vendors Pre-emptively avoid any potential risk Focus resources on those vendors that present the least confidence IMPLEMENTATION Risk = Impact x Likelihood» Likelihood Factors that increase the probability the vendor will experience or cause a breach» Impact If the vendor experiences a breach, the loss (dollars, downtime) that Client can expect to incur 25 #ISC2Congress
Initial Vendor Risk Profile» Method for profiling and prioritizing vendor security risk» Relative risk ranking» Establishes a priority and a methodology for moving forward 26 #ISC2Congress
2. Vendor Due Diligence OBJECTIVE» Gather data to support risk strategy IMPLEMENTATION» Leverage Intelligence» No need to perform diligence if you understand the follow-up risk strategy» Level of risk should drive level of due diligence / or assurance 27 #ISC2Congress
Leverage intelligence to determine appropriate assurance for vendor population Traditional Approach Vendors with no reasonable assurance Intelligence Based Approach Initial Risk Profile Intelligence Validated Response Audits Validated Response Audits Total Vendors Reasonable Assurance 28 #ISC2Congress
Using Intelligence to Determine Assurance Strategy Report A B C D F Example - risk strategies may vary depending on nature of vendor offering to organization Monitor vendor Perform audit to confirm accuracy of certification Perform additional due diligence: Interview CISO Review SSAE- 16 Require additional certification Perform additional due diligence: Interview CISO Require key control attestation Require certification Require key control attestation Require certification Limit access to data Increase insurance requirements Immediately contact vendor Limit access to data Increase insurance requirements 29 #ISC2Congress
3. Risk Strategy OBJECTIVE» To take the appropriate action to manage and reduce the risk to Client presented by the vendor. RISK TREATMENT OPTIONS» Avoidance (cancel contract, eliminate access to PHI)» Reduction (ensure Vendor has reliable security program)» Sharing (transfer cyber-risk insurance)» Retention (accept and budget) 30 #ISC2Congress
Residual Risk Profile Program Management Reports» Clear vision of vendor security risk management objectives» Executive level communication» Program effectiveness 31 #ISC2Congress
Risk Strategy by Organization Type Large / Medium Score A B C D F Large / Medium 1. Monitor status of certification 2. Monitor for breach 3. Annual reevaluation 4. Minimum Large Company Cyber Risk Insurance Level 1. Require certification within 12 months or remediation of issue 2. Monitor for progress 3. Monitor for breach 4. Annual reevaluation 5. Minimum Cyber Risk Insurance Level + 10% 1. Require remediation of key controls within 6 months 2. Require certification within 12-18 months 3. Monitor for progress 4. Monitor for breach 5. Annual reevaluation 6. Minimum Cyber Risk Insurance Level +10 % to 50% 1. Require remediation of key controls within 6 months 2. Require certification and remediation of issue within 12-18 months 3. Monitor for progress 4. Monitor for breach 5. Annual reevaluation 6. Double of minimum Cyber Risk Insurance Level 7. Start investigating solution options 1. Activate incident handling procedures 32 #ISC2Congress
Risk Strategy by Organization Type Medium/ Low Score A B C D F Medium / Low 1. Monitor status of certification 2. Monitor for breach 3. Annual reevaluation 4. Minimum Small Company Cyber Risk Insurance Level 1. Require remediation of key controls within 6 months 2. Option 1: Require certification within 12-18 months 3. Option 2: Require 3 rd party confirmation of key controls 4. Monitor for progress 5. Monitor for breach 6. Annual reevaluation 7. Minimum Small Company Cyber Risk Insurance Level + 10% 1. Require remediation of key controls within 6 months 2. Option 1: Require certification within 12-18 months 3. Option 2: Require 3 rd party confirmation of key controls 4. Monitor for progress 5. Monitor for breach 6. Annual reevaluation 7. Minimum Cyber Risk Insurance Level +10 % to 50% 1. Require remediation of key controls within 6 months 2. Require certification and remediation of issue within 12-18 months 3. Monitor for progress 4. Monitor for breach 5. Annual re-evaluation 6. Double of minimum Cyber Risk Insurance Level 7. Start investigating solution options 1. Activate incident handling procedures 33 #ISC2Congress
4. Monitoring OBJECTIVE» To periodically re-evaluate the vendor to ensure risks do not increase and milestones, if any, are being met. IMPLEMENTATION» Based on the vendor s risk classification, determine if changes in risk have occurred since the last review Vendor Classification Monitoring Activities Monitoring Frequency Moderate to Low risk Vendors Re-profile vendor for basic changes in inherent risk including: Recent breaches Financial performance Mergers and Acquisitions Once per year or on notice of a major event. Moderate-High to Critical Vendors Re-profile vendor for basic changes in inherent risk. Review the status of corrective actions to ensure deadlines and milestones are met. Once per quarter to once per year depending on corrective actions or on notice of a major event. 34 #ISC2Congress
On-going Monitoring» Many organizations rarely revisit their initial vendor assessments to determine if the risk profile has improved or deteriorated» Implement a mechanism for on-going monitoring and updates of vendor risk profiles» Implement a notification process of events, such as breaches or expiration of a security certification Community Input Report Updates Alerts 35 #ISC2Congress
Better Risk Management Today s solutions: VSRM services: Quality of data Time and investment Procurement and Contracting Risk Assessment Risk Management Monitoring 36 #ISC2Congress
Next Steps» Identify stakeholders» Outline Client governance structure» Select Vendors» Begin VSRM process 37 #ISC2Congress
Thank You» Cliff Baker cliff.baker@meditologyservices.com» Brian Selfridge brian.selfridge@meditologyservices.com 38 #ISC2Congress