Healthcare CISOs Sound Off on Vendor Risk Management

Blog Post by Brian Selfridge, Partner at CORL Technologies and Host of The CyberPHIx Podcast

I have been hosting The CyberPHIx healthcare cybersecurity podcast for over three years now. During that time, I have had the honor and privilege to speak with some of the healthcare industry’s most innovative thought leaders and experts in cybersecurity, privacy, compliance, and risk.

We have produced 68 podcast episodes and counting thus far. For those who don’t quite have the time to binge-listen through the entire catalog, we have compiled some highlights from our guests on the topic of vendor security risk management.

The following are quotes and recordings from some of the industry’s best and brightest leaders related to this important area of focus for healthcare risk management programs.

Dan Bowden, VP & CISO, Sentara Healthcare

“The whole third party and vendor management has been a challenge for years. We've all been talking about what to do with it and how to do it better. And I'm we're starting to maybe back up a little bit, focus more on the presence and use of critical controls. Most of the calls I've sat in on with vendors or folks we partner with on security incidents, two factor authentication would have stopped the threat. And then that's usually a vector that gets in.


And so what we're trying to say is, do we spend a lot of time learning to evaluate each and every cloud platform, or do we ask whoever we're partnering with or the service provider to demonstrate it, requiring two factor authentication for all remote access? Right. Boom. That's one critical control.


Everyone with elevated privileges is managed through a privilege access management solution, right? Well, there's another critical control. And so on and so on. And so maybe depending on the value of the relationship, we focus on controls around confidentiality, integrity and availability and individual ability. Things may or may be more just assurances, questions about business continuity, disaster recovery, things like that. And so we're continually evolving our view on that. And we're a lot better than we were three years ago.”


“I think that's a challenge we're having now is so many vendors. How do we catch up with all of them? How do we know that they are there some acknowledgement or how do we validate? That's always the hard thing with vendors. And so still a lot of work to do.


You're trying to figure out how to put either an SLA or some kind of set some kind of a bar. I think it's I think it's dumb not to. It's just a contract. And that's the problem with paper contracts, right, is enforcement. And so that's the challenge is how do we continue to do that? But you've got to at least somehow communicate the bar, even if it's only on paper.”


TJ Mann, CISO, Children's Mercy Hospital

“The vendors and health care industry are very unique where they like to sell their product along with a PC and along with a server and everything all its bundle deal. And they pose a big, big challenge to it and cyber teams because now those equipment, those those systems and that equipment has to be on the network because they need to do a pull or they need to push data somewhere else on the network. This is where you integrate your third-party risk management process as well.


So you're making sure that it's not somebody who's just building a product in their garage and sending it out. And there's no support. And there's they don't do they don't even care about patching new abilities that are coming out. So as things are progressing through the procurement process, we have a gate check process to make sure that a security review is done before the contract moves forward for signatures or issuing a PO.”


“You have external entities like vendors, right. And we've seen in the last year some major breaches coming out of out of vendors, SolarWinds, Blackbaud, and others. So vendors are equally responsible for cyber security in their own way. All these teams have to work collectively to focus on one goal of reducing risk to the organization.”


Stoddard Manikin, CISO, Children's Healthcare of Atlanta

“Third party risk is one of the major areas of concern from a cybersecurity perspective. In health care, it's probably double what it is in other industries because we have so many systems that are on premise and supported by vendors who are offering us so many times. I find these things where the vendors say, oh, we need Always-On, VPNs, or we have shared accounts because we have twenty five different people and we don't know which one is going to be on call to address your issue.


The third party vendors are the ones who are more likely to have compromised accounts. We've seen this outside of healthcare too, such as the big target hack several years ago. So I think that we in health care need to limit the access that our third parties have, and we need to have standardization of that access.”


“Just a couple of years ago, we still had vendors using consumer grade solutions like LogMeIn or go to my PC to remotely administer systems with ePHI on the web trying to protect the health information. And that's just not OK. So we have moved towards a model where we have a standard that says here are the three ways you can remotely connect into us in order preference, choose one or we're not going to be doing business together. And that allows us to, through that standardization to make sure that we vetted each of the solutions and that we have enough people to actually monitor those approaches to make sure if anything odd is going on, we are more likely to notice it.”


“The Nuance Transcription service breach impacted so many of us in health care. I remember that time because even our CIO ran out to the local office supply store and bought all of their personal recorders just so we had something to do. Transcription with I think part of it comes down to your supply chain. And if you only have one vendor for critical service like transcription, then you need to be prepared for some type of outage because it may not just come from a cybersecurity event, it can come from anything. And that's where it may be more effective to have a dual vendor strategy or at least a backup plan so that you can move this to somebody else should you need to.”


Mike Wilson, SVP & CISO, Molina Healthcare

“The challenge we have with medical devices is that there's a lot of them. And if you think about the nature of a medical device, you know, by its nature, it moves. It could be a drug pump or an insulin pump. It could be a variety of different things. And the MRI machine, for instance, and some are less portable than others. But generally speaking, the inventory, if we think about the asset problem in IT, and that's been a grappling one we've dealt with from the IT context for years and years and years.


But HIPAA clearly makes the point that we are to understand the inventory of assets and the provision of ePHI that are technology related, and we're to categorize those by tiering and risk. And we are to think about them in terms of threats and then obviously apply controls appropriately and then to test the efficacy of those on a regular basis. So I see medical device very much coming under the realm of HIPAA.”


“We're dealing with a lot of different manufacturers. There's a lot of legacy product out there that's going to take some time. It's like an old car going through the system. You know, you hang onto it for a while. It has value. And so I think this problem is going to very much remain for some time about just how do we think about the threats around a particular device, which are many and probably unique and contextual and temporal in nature. As they get older, there's going to be more issues and vulnerabilities."


Siobhan Hunter, Vice President of Strategic Solutions, CORL Technologies and Former Director IT Governance, Risk & Compliance for Blue Cross Blue Shield North Carolina

“I think it comes down to three major areas: a comprehensive program that covers from the point of initial sourcing all the way through to the lifecycle of continuous use of that third-party; a consistent program so that you can use the same type of process and procedures with each one of those vendors, such that it is also repeatable and it's across all of your vendor base, not just select vendors or third-parties that come into the I.T. security space for attention.”


“A less mature program starts with not having a good understanding of your vendor base. It is not uncommon to have an organization reach out for support in building their third-party risk program. And you ask for their list of vendors, and the best way that they know how to get it is to go to their accounts payable organization. So, you know, you can start with that level of maturity or lack thereof. Of course, in that type of scenario, you wouldn't have to tiering of the vendors based on information security risk. And if there are any security assessments being done, they're being done late in the process. And, you know, to the question around desired outcome of your program, they're not being done consistently.


A high performing program really has strong governance of the third-parties in all areas of the business. It has formal processes for I.T. security, vendor on-boarding, which requires vendor tiering. It requires assessment. It requires remediation of those findings and continuous monitoring as appropriate. If the vendor is contracted to engage with the organization prior to remediation completion, they'll be contractual terms and conditions included, such that you've got the right to terminate, if they do not complete their information security findings and remediation.”


“I think, you know, more than ever, yeah, you do have a finite budget, and you've got to spend the money wisely where you feel you'll get the best program for the least amount of dollars. I think that the human element is a key part of this. The tech solutions are the additional wrapping that supports your program. But at the end of the day, this is all about the people and the human effort. And that is an expensive resource.


And so with the scale at which most companies need to assess their vendors, the amount of outsourcing that's being done, the amount of utilization of third-parties, the volume of assessments that need to be done initially and then on a repeatable recurring basis is growing. So, trying to keep up with that volume, I think you've really got to look at, how do I scale? How do I support a requirement that is only going to increase?


So I think you put your dollars into a good managed services environment, such that you can grow and scale as your organization scales. Wrap that with additional products and tools that can support and mature that program. But I don't think you need to have all of them immediately in order to say you have a robust third-party risk program. What you do have to show, and we go back to the initial question, is a consistent, comprehensive and repeatable process.”


Contact our team here at CORL to learn more about how our managed services and next generation exchange for healthcare vendor risk data gets improves communication with vendors and gets results in lowering supply chain risks.

Most Recent Posts
Essential Guide for Vendors: Key Features to Look for in a Cyber Security Assessment Tool for Healthcare TPRM   Read More
Change Healthcare Cyber Attack: Implications for Third-Party Incident Response in Healthcare Cybersecurity Read More
Do You Understand Your Vendors' SOC 2 Reports? Read More