NIST SP 800-53 Rev 5: New Supply Chain Control Requirements

The National Institute of Standards and Technology (NIST) has announced an updated version of their flagship security controls framework NIST Special Publication (SP) 800-53. The new version, Revision 5 or “Rev 5”, update is the first overhaul of the NIST SP 800-53 framework in over seven years and represents critical updates that reflect the modern cyber threat landscape. A major addition in this revision includes an entire security controls “family” dedicated to Supply Chain Risk Management (SR). This blog post will help provide some insight into the new controls framework version, its differences from prior iterations and other related standards, and its applicability for third-party risk management programs. Read More

Finding a Cure for Healthcare Vendor Risk | Analysis of the 21st Century Cures Act and ONC’s Cures Act Final Rule

In May 2020, while the healthcare industry grappled with the outbreak of a global pandemic, the US Department of Health and Human Services (HHS) quietly issued a Final Rule that has major implications for the secure electronic delivery of health information to patients via third party platforms and apps. Increased interoperability between systems has many potential benefits for patients, but it also introduces a larger technology footprint for sensitive patient information including Protected Health Information (PHI). Read More

Enterprise Risk Reporting | The Achilles Heel of Vendor Risk Management Programs

Information security leaders and vendor risk management teams have struggled to update their reporting models to keep pace with the increasing variety and complexity of risks introduced by the modern business supply chain. The inability to effectively communicate meaningful vendor risk metrics that drive informed decisions from the business has become the Achilles heel for many third-party risk management programs.  Read More

Abandoning the Assessment Factory

Remember the days when every organization maintained a troop of IT engineers somewhere in the basement that spent countless days and nights racking, stacking, and networking servers? Everyone had established their own in-house technology infrastructure factory and was deeply invested in managing an operational IT function that was far removed from the core capabilities and mission of the business. That is until one day we collectively realized that IT infrastructure could be better delivered as a service via outsourced and cloud-hosted platforms that more efficiently manage and scale our IT capabilities. Read More

Decoding Vendor Questionnaire Responses

Vendor responses to third-party security assessment questionnaires can have a wide range of “truthiness”. Questions about “how does your organization protect x” or “explain your process for y” can often be met with “yes” or “no” responses or the classic less-then-informative response of “we are HIPAA compliant”. This phenomenon can be chalked up to a variety of root causes, including security responses being completed by sales personnel who have limited security knowledge or expertise, missing security controls and a lack of transparency by the vendor, or pressures of the sales cycle to get responses completed quickly for a large volume of customer security assessments. Read More

Securing the Healthcare Data Supply Chain

CORL Technologies CEO Cliff Baker recently had the opportunity to deliver a presentation alongside leadership from the Office for Civil Rights (OCR) on the state of HIPAA Security Rule compliance and risk management for third-party Business Associate vendors servicing the healthcare industry. The breach data and enforcement updates supplied by OCR reinforced his perspective on the paradigm shift currently underway for healthcare delivery in the migration of critical business functions to third-party cloud-based platforms. Read More

Optimizing the Human in Third-Party Risk Management

Security and risk teams have been overwhelmed by the tsunami of requests for vendor security risk assessments as the digital health movement continues to shift data to third-party platforms. Constraints on human capital and time have never been tighter. Leading organizations are looking for ways to focus their teams on true risk management activities rather than perpetually collecting and formatting risk data. Information security and risk leaders have turned to technology and automation to help keep pace with this unprecedented demand for third-party security assessments. Read More

The Show Must Go On | Maintaining Continuity for InfoSec in a Crisis

Take a deep breath, this is not your typical COVID-19 blog entry. We are going to talk about everything else we need to manage in Information Security and third-party risk management programs during the crisis to keep the wheels on the bus as we make sharp turns at high speeds in response to the pandemic. Healthcare Information Security, third-party risk management, and compliance teams have been appropriately redirected in the early stages of the pandemic to support an “all-hands-on-deck” model for getting remote work scaled up, telehealth rolled out, and much more. Read More