Do You Understand Your Vendors' SOC 2 Reports?

In this post, we will emphasize the importance of requesting assurances such as HITRUST, SOC 2/Type 2, ISO 27001, and FedRAMP from vendors with high inherent risks, and we will specifically explore how to interpret the key points from a SOC 2 report. Read More

The Unintended Risks of Third-Party Cybersecurity Questionnaires 

CISOs are aware of the need to address TPRM, yet they often struggle with the scale and complexity of the task. As good security leaders tend to do, they take action. However, they usually take action with great uncertainty about the most effective approach for truly solving the TPRM problem. Read More

CISA Cyber Performance Goals: Third-Party & Supply Chain Requirements

The Cybersecurity and Infrastructure Security Agency (CISA) has been hinting for weeks about a pending announcement on cybersecurity for the nation’s critical infrastructure including healthcare. That update has arrived in the form of a major publication titled CPG: Cross-Sector Cybersecurity Performance Goals.[1]The CPGs provide a mechanism for healthcare organizations and other critical sector entities to prioritize their implementation of the most effective and essential security controls required to defend against emerging cyberattacks. This blog provides an overview of the CPGs and delves into the CPGs that are dedicated to supply chain and third-party vendor risk management. We also discuss the history and genesis of the CPGs, definitions and components, and practical applications for the CPGs for healthcare organizations. Read More

Keep Up with CORL: Vendor Breach Digest, 10/11/22

Our Vendor Breach Digest provides a summary roll-up of major breach events for third-party vendors operating within the healthcare supply chain. Breaches covered in this release: Okta & Microsoft, SummaCare, Healthplex, Inc, GitHub, Arcare, American Dental Association, T-Mobile, Mental Health Center of Greater Manchester, Mountain Area Health Education Center, The State Bar of Georgia, McCarter & English, Kaiser Foundation, Health Plan, Touchstone Imaging, DialAmerica Marketing, Block, Parker Hannifin Corporation, MailChimp, HubSpot, Cytometry Specialists, Palo Alto Networks, Globant, and Gainwell Technologies. Read More