Abandoning the Assessment Factory

Remember the days when every organization maintained a troop of IT engineers somewhere in the basement that spent countless days and nights racking, stacking, and networking servers? Everyone had established their own in-house technology infrastructure factory and was deeply invested in managing an operational IT function that was far removed from the core capabilities and mission of the business. That is until one day we collectively realized that IT infrastructure could be better delivered as a service via outsourced and cloud-hosted platforms that more efficiently manage and scale our IT capabilities. Read More

Decoding Vendor Questionnaire Responses

Vendor responses to third-party security assessment questionnaires can have a wide range of “truthiness”. Questions about “how does your organization protect x” or “explain your process for y” can often be met with “yes” or “no” responses or the classic less-then-informative response of “we are HIPAA compliant”. This phenomenon can be chalked up to a variety of root causes, including security responses being completed by sales personnel who have limited security knowledge or expertise, missing security controls and a lack of transparency by the vendor, or pressures of the sales cycle to get responses completed quickly for a large volume of customer security assessments. Read More

Securing the Healthcare Data Supply Chain

CORL Technologies CEO Cliff Baker recently had the opportunity to deliver a presentation alongside leadership from the Office for Civil Rights (OCR) on the state of HIPAA Security Rule compliance and risk management for third-party Business Associate vendors servicing the healthcare industry. The breach data and enforcement updates supplied by OCR reinforced his perspective on the paradigm shift currently underway for healthcare delivery in the migration of critical business functions to third-party cloud-based platforms. Read More

Optimizing the Human in Third-Party Risk Management

Security and risk teams have been overwhelmed by the tsunami of requests for vendor security risk assessments as the digital health movement continues to shift data to third-party platforms. Constraints on human capital and time have never been tighter. Leading organizations are looking for ways to focus their teams on true risk management activities rather than perpetually collecting and formatting risk data. Information security and risk leaders have turned to technology and automation to help keep pace with this unprecedented demand for third-party security assessments. Read More

The Show Must Go On | Maintaining Continuity for InfoSec in a Crisis

Take a deep breath, this is not your typical COVID-19 blog entry. We are going to talk about everything else we need to manage in Information Security and third-party risk management programs during the crisis to keep the wheels on the bus as we make sharp turns at high speeds in response to the pandemic. Healthcare Information Security, third-party risk management, and compliance teams have been appropriately redirected in the early stages of the pandemic to support an “all-hands-on-deck” model for getting remote work scaled up, telehealth rolled out, and much more. Read More

Surfing the Wave of New Privacy Regulations | California’s CCPA Explained

A wave of new state privacy regulations has healthcare entities scrambling to stand up programs to address patient information protections. On the heels of ground-breaking Global Data Protection Regulation (GDPR) mandates out of the EU, U.S. regulators in over 20 states are starting to incorporate privacy controls including new and proposed legislation. One of the most prominent and comprehensive new privacy laws is the California Consumer Privacy Act (CCPA). This blog post provides a quick summary of the CCPA law and implications for healthcare entities. Read More

Orchestrating a Vendor Risk Management Symphony

Effective vendor risk management programs require artful choreography between internal and external stakeholders, processes, and tools. Business owners and security teams must be armed with the most accurate and timely information available in order to make informed decisions and drive remediation for identified vendor security risks. The symphony of successful vendor security risk management is not one that can be played alone or with one kind of instrument. Read More

Coronavirus Implications for Healthcare Security Programs

On March 5th, HIMSS announced the cancellation of their flagship national healthcare conference just days before the event was set to take place in Orlando, Florida. Just a few days earlier, the state of Florida had declared a state of emergency surrounding the global outbreak of the COVID-19 Coronavirus which has prompted cascading economic and business operational impacts for healthcare entities. The HITRUST Alliance also announced temporary changes on March 5th to their requirements for on-site assessments associated with Validated Assessments.  Read More