CORL Dodging Breaches from Dodgy Vendors

Similar documents
Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

SECURITY RISK MANAGEMENT

VENDOR MANAGEMENT. General Overview

Information Security Management System for Microsoft s Cloud Infrastructure

Third Party Risk Management 12 April 2012

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

What can HITRUST do for me?

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

Assessment Process HITRUST, Frisco, TX. All Rights Reserved.

Managing data security and privacy risk of third-party vendors

agility made possible

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

IT Insights. Managing Third Party Technology Risk

3 rd Party Vendor Risk Management

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff

Microsoft s Compliance Framework for Online Services

2016 OCR AUDIT E-BOOK

fs viewpoint

Our Commitment to Information Security

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

2014 HIMSS Analytics Cloud Survey

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

Best Practices in Contract Migration

Metrics that Matter Security Risk Analytics

Consolidated Audit Program (CAP) A multi-compliance approach

Cybersecurity The role of Internal Audit

Preemptive security solutions for healthcare

2014 Vendor Risk Management Benchmark Study

HITRUST CSF Assurance Program

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

Managing IT Security with Penetration Testing

Healthcare Information Security Today

SOLUTION BRIEF: CA IT ASSET MANAGER. How can I reduce IT asset costs to address my organization s budget pressures?

8 Key Requirements of an IT Governance, Risk and Compliance Solution

Sensitive Data Management: Current Trends in HIPAA and HITRUST

Accenture Risk Management. Industry Report. Life Sciences

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Risk Management of Outsourced Technology Services. November 28, 2000

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Managing Open Source Code Best Practices

10 Smart Ideas for. Keeping Data Safe. From Hackers

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

FINRA Publishes its 2015 Report on Cybersecurity Practices

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Gilead Clinical Operations Risk Management Program

RSA ARCHER OPERATIONAL RISK MANAGEMENT

IT Governance. What is it and how to audit it. 21 April 2009

Italy. EY s Global Information Security Survey 2013

HIPAA SECURITY RISK ANALYSIS FORMAL RFP

FFIEC Cybersecurity Assessment Tool

Managing the Shadow Cloud

Isaac Willett April 5, 2011

The Value of Vulnerability Management*

North American Electric Reliability Corporation (NERC) Cyber Security Standard

<risk> Enterprise Risk Management

Frequently Asked Questions about the HITRUST Risk Management Framework

HIPAA and HITRUST - FAQ

Electronic Medical Record (EMR) Request for Proposal (RFP)

Third-Party Cybersecurity and Data Loss Prevention

HIPAA and HITECH Compliance for Cloud Applications

Enterprise Risk Management in Colleges and Universities

Current Challenges in Managing Contract Lifecycle Management

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

The rise of third party relationships means rise in risk and regulation. Non-compliance is risky business for financial institutions

case study Denver Health & Hospital Authority IT as a Change Agent in the Transformation of Healthcare Summary Introductory Overview ORGANIZATION:

Best Practice Strategies for Managing and Mitigating Key Cyber Risks. Brendan Saunders, Principal Security Consultant - November 2015

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

InfoGard Healthcare Services InfoGard Laboratories Inc.

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

How To Improve Your Business

Domain 1 The Process of Auditing Information Systems

Healthcare in the Crosshairs for Data Breaches. April 22, Deborah Hiser (512)

IBM Smartcloud Managed Backup

Obtaining CSF Certification Lessons Learned and Why Do It

Cloud Computing An Auditor s Perspective

Transcription:

CORL Dodging Breaches from Dodgy Vendors Tackling Vendor Security Risk Management in Healthcare

Introductions Cliff Baker 20 Years of Healthcare Security experience PricewaterhouseCoopers, HITRUST, Meditology Focused exclusively on healthcare, in the area of security compliance and vendor risk management.

The Unlocked Backdoor to Healthcare Data Majority of healthcare vendors lack minimum security practices, well short of HIPAA standards Healthcare organizations are often unaware of how many of their vendors have access to protected health information There are an overwhelming number of small and niche healthcare vendors for organizations to manage Healthcare organizations do little to gain assurances or enforce security requirements for vendors Target CEO, CIO resign after massive breach caused by vendor

Vendor Risk Management versus Vendor Security Risk Management Vendor Risk Management (VRM) typically focuses on elements such as financial risk, legal risk, supply chain risk, etc. VRM is not focused on information security risk and does little to tell you about a vendor s ability to protect your confidential information. Vendor Security Risk Management (VSRM) service fills this gap with an objective security analysis of existing and prospective vendors. A robust VSRM provides organizations with a level of confidence in the ability of a vendor to protect their confidential information.

What is the exposure? Breach Risk Regulatory Risk Financial Risk Many vendors of your vendors have inadequate controls Cannot transfer notification and breach response risk Limited reasonable & appropriate assurance / willful neglect Vendors are inconsistently and infrequently assessed 50% or more of vendors do not have financial capability to handle breach notification Customer incurs brunt of financial and reputational impact

Org. resources cannot keep up Identify Vendor Contact Provide guidance to Business Negotiate with the Vendor Send and Explain Survey Validate the Responses Monitor Vendor Progress Review Response Follow-up for Clarification

Example Vendor Profiles with access to PHI Technology companies Business Services Clinical Technology Clinical services Enterprise Software EHR Portals Financial Hardware Network Servers Mobile Outsource Hosting Data storage Legal Audit Compliance Consulting Staff Aug. Debt Collection Business analytics Paper storage ECG Data Management ICU Management Population Health Quality Management Controlled Substance Management Systems Image Exchange Surgery Management Patient Engagement Anesthesia Cardiology Laboratory Pharmacy Food service Patient transport Blood & Tissue Transcription Health Information Exchange Home Health Imaging Pharmacy Registries Release of Information Decision Support Prescription Analytics Disease Management Laboratory Long-Term Care Medical Supplies Mental and Addiction Retirement and Disability Medical Supplies Many # of Vendors Few

Vendor Scenarios Scenario A The vendor product is on the Org. network (there is no vendor support). Scenario B The vendor product is on Org. network and is supported remotely by the vendor. Scenario C The vendor provides services by connecting remotely to the Org. network (e.g., medical coding) Scenario D Professional services/contractors (e.g., on-site, consulting, maintenance) with on-site access to Org. network Scenario E Org. sends data to vendor. Scenario F Cloud vendor provider.

Existing vendor security programs have significant blind spots Most healthcare organizations focus due diligence on their largest vendors BUT Healthcare Organization s Vendor Breakdown by Size VL 21% L 21% Breach data shows that over half of breaches are attributed to smaller companies S. 1-100 M. 101-1000 L. 1001-10000 VL. 10001+ S 34% M 24% Smaller firms are also often attacked in attempt to get to bigger firms. The Washington Post

Vendors are not protecting healthcare data Vendor Score Definitions Vendor Score Breakdown A - High confidence that vendor demonstrates a strong culture of security B - Moderate confidence that vendor demonstrates a culture of security C - Indeterminate confidence that vendor demonstrates a culture of security D - Lack of confidence based on demonstrated weaknesses with vendor s culture of security F - No confidence in vendor s ability to protect information D- 24% D+ 8% F 8% A 1% A+ 3% B 7% D 26% B- 3% B+ 6% C+ 5% C 8% C- 1%

Understanding Risk 60 50 40 F Different types of vendor organizations require different strategies VSRM programs adapt risk strategies to the size and capabilities of the vendor s organization 30 F F F 20 D D D D C 10 C C B B 0 C A B B A S M L VL S. 1-100, M. 101-1000, L. 1001-10000, VL. 10001+

Healthcare organizations are not holding vendors accountable for meeting minimum acceptable security standards Security Certifications Security certifications provide third party validation of security practices Examples for the industry include: HITRUST AICPA SOC 2 and 3 reports ISO 27001 FedRAMP Important for organizations to understand the scope and baseline criteria used for certifications Yes 32% No 68%

Resource constraints with traditional approaches produce minimal results Identify Risky Vendors Review Vendor Questionnaire Response Validate Questionnaire Response Perform Audit Risk Strategy (improve security practices, insurance, limit access, accept, no additional business) 15-20% of vendors

Resources by the Numbers Process = 3-5 days/vendor Process = $1,500- $2,000/ Vendor Process = 40-60 / Vendors / FTE Process = 300-600 / Organization Process = 7-10 FTEs / Organization

15 Life-cycle capabilities existing methods Understand Risk Manage Risk Apply Risk Monitor Risk

Assurance from vendors that access PHI Typical Health Org Profile 16 Managing Risk Total Vendors 1%4% 5% 15% No understanding of risk 75% New Contracts Existing vendors with a recent assessment Existing vendors with no assessment Contract Renewals Existing vendors with an outdated assessment

17 Life-cycle capabilities Understand Risk Manage Risk Apply Risk Monitor Risk

18 Life-cycle capabilities (Yr2) Understand Risk Manage Risk Apply Risk Strategy Monitor Risk

19 Life-cycle capabilities (Yr3) Understand Risk Manage Risk Apply Risk Strategy Monitor Risk

20 Example Vendor Profiles with access to PHI Technology companies Business Services Clinical Technology Clinical services Enterprise Software EHR Portals Financial Hardware Network Servers Mobile Outsource Hosting Data storage Legal Audit Compliance Consulting Staff Aug. Debt Collection Business analytics Paper storage ECG Data Management ICU Management Population Health Quality Management Controlled Substance Management Systems Image Exchange Surgery Management Patient Engagement Anesthesia Cardiology Laboratory Pharmacy Food service Patient transport Blood & Tissue Transcription Health Information Exchange Home Health Imaging Pharmacy Registries Release of Information Decision Support Prescription Analytics Disease Management Laboratory Long-Term Care Medical Supplies Mental and Addiction Retirement and Disability Medical Supplies Many # of Vendors Few

21 Example Vendor Profiles with access to PHI Technology companies Business Services Clinical Technology Clinical services Enterprise Software EHR Portals Financial Hardware Network Servers Mobile Outsource Hosting Data storage Legal Audit Compliance Consulting Staff Aug. Debt Collection Business analytics Paper storage ECG Data Management ICU Management Population Health Quality Management Controlled Substance Management Systems Image Exchange Surgery Management Patient Engagement Anesthesia Cardiology Laboratory Pharmacy Food service Patient transport Blood & Tissue Transcription Health Information Exchange Home Health Imaging Pharmacy Registries Release of Information Decision Support Prescription Analytics Disease Management Laboratory Long-Term Care Medical Supplies Mental and Addiction Retirement and Disability Medical Supplies Managing Risk No Risk Strategy

22 Comprehensive Lifecycle Approach Profile Risk Monitor Risk Fundamental Components Understand Risk Manage Risk

23 Fundamental Practices Clear Objectives Leadership Reporting Negotiation Objectives Clearly established goals and objectives for the VSRM program Consistent communication plan/process to inform leadership of vendor risk exposure Clearly defined outcomes and options Vendor Communication Processes for the consistent and clear communication of expectations Stakeholder Collaboration Communication among key stakeholders to provide insight into current and upcoming vendor products, risk exposure, and scheduled audits. Risk Model Model to consistently assess, prioritize and measure vendor risk Tools Tools to support data gathering, analysis, reporting and process workflow. People Clear accountability and responsibility for vendor security risk management

24 Risk Model Providing the same focus and management for all vendors is not practical from a resource, cost and organizational perspective. A risk model for vendor security will enable an organization to methodically prioritize and focus resources on vendors that present the highest risk to the organization. Vendor Security Risk is a function of the likelihood that a vendor will experience a breach and the impact of that breach on the organization. Determining Likelihood The factors that increase the likelihood of a vendor breach are based on some inherent characteristics of the company (e.g., size and geographic scope), and, more importantly, the robustness of their security program. The following are criteria that should be considered in determining likelihood of risk. Control Environment 1. Presence of a security program 2. Presence of key security controls 3. Quality of Security Team 4. Quality of Security Leadership 5. Breach History 6. Data at Rest Security 7. Subcontractors Inherent Characteristics 1. Business Description 2. Size 3. Geographic Scope 4. Year Founded 5. Industry Sectors 6. Annual Sales 7. Client Industry(s) Serviced 8. Data Processed/Stored 9. Experience with Org

25 Profile Identify Vendors Comprehensive source of vendors with access to Org. network or data. Profile Vendors (Risk Rank) Classification of vendors based on their impact and likelihood.

Initial Risk Profile Method for profiling and prioritizing vendor security risk Leveraging sophisticated data analytics and industry research Based on standards based methodologies

27 Understand Risk Gather Information Routine processes to collect valuable data for making risk management decisions. Validate Information Consistent process to gain reasonable assurance about the control environment. Analyze Risk Consistent process to gain reasonable assurance about the control environment.

28 Breach Risk versus Security Program Maturity HIGH Breach Risk MED LOW Ad-hoc / informal Security Policies, Procedures, Tech Controls Policies, Procedures, Tech Controls for Key Controls Security Leadership & Capable Resources Security Program Executive led information protection programs Security Program Maturity

29 Breach Risk versus Assurance Options HIGH Breach Risk MED LOW Contractual Obligations Vendor attestation of Controls 3rd Party Verification of Key Controls Customer Verification of Key Controls Periodic 3rd Party Certification of Vendor s Security Program Periodic Customer Verification of Security Program Continuous Monitoring of Vendor's Security Program Vendor Security Assurance

30 Assurance Costs versus Assurance Options HIGH Assurance Cost MED LOW Contractual Obligations Vendor attestation of Controls 3rd Party Verification of Key Controls Customer Verification of Key Controls Periodic 3rd Party Certification of Vendor s Security Program Periodic Customer verification of Security Program Continuous Monitoring of Vendor's Security Program Vendor Security Assurance

31 Breach Risk versus Assurance Costs versus Assurance Options HIGH Breach Risk & Assurance Cost MED LOW Contractual Obligations Vendor attestation of Controls 3rd Party Verification of Key Controls Customer Verification of Key Controls Periodic 3rd Party Verification of Vendor s Security Program Periodic Customer Verification of Security Program Continuous Monitoring of Vendor's Security Program Vendor Security Assurance

32 Risk Strategy Define Risk Strategy Options Analyze the vendor risk to determine the appropriate action needed to reduce potential impact. Communicate and Negotiate with Vendor Process to communicate with vendors when contractual terms are not met. Implement Strategy Execution of appropriate action when vendors consistently fail to meet contractual terms.

33 Risk Strategies OVERALL VENDOR SECURITY RISK Vendor Implements Security Controls AVOID RISK Contract Terms Vendor carrying Cyber-risk insurance Only allow inhouse implemented solution Temporarily accepting risk and tracking a RAF Terminate the Contract

Residual Risk Profile Management Reports Clear vision of vendor security risk management objectives Executive level communication Program effectiveness

35 Monitoring Tracking and Reporting Vendor Progress Process to inspect vendor progress over time and report details to leadership. Identifying Changes in Vendor Risk Examine vendor compliance progress and determine if vendor s overall risk has improved or deteriorated.

On-going Monitoring Many organizations rarely revisit their initial vendor assessments to determine if the risk profile has improved or deteriorated An organizations should provide a mechanism for on-going monitoring and updates of vendor risk profiles The VSRM function should notify the organization of events, such as breaches or expiration of a security certification Community Input Report Updates Alerts

CORL VSRM Corl s Vendor Security Risk Management (VSRM) service combines risk intelligence with responsibly shared input from the community to help you manage vendor risk. Meaningful input responsibly shared by peers. Continuous & proactive monitoring by data analytics engine & research analysts Research analysts supported by off-shore resources provide scalable and on-demand managed services Innovative scoring & intelligence reporting

CORL is engineered to deliver information for risk strategies as efficiently as possible 38 Corl Initial Risk Profile Review Vendor Questionnaire Response Corl Scores Validate Questionnaire Response Perform Audit Risk Strategy (improve security practices, insurance, limit access, accept, no additional business) 80+% of vendors

Thank You Cliff Baker CEO, CORL Technologies cliff.baker@corltech.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information