assessments for certified and non-certified vendors · assessments for certified and non-certified...
TRANSCRIPT
3rd party Vendors Security Risk Profile
CORL Technologies © All Rights Reserved
• 63% of all 2016 data breaches resulted from third party vendor’s risk • Small companies are high risk - security is secondary to customer service • 89 to 100 vendors access our network per week• 27% increase in data breaches resulting from 3rd parties since 2015• 3rd party vendors are the second largest risk to a health system
3rd Party Vendor Breaches in 2016
Business 3rd party system Security Threat Data Taken
Medical Informatics Engineering No More Clipboard Website was unsecure Patient Records
Bizmatic PrognoCIS Tool Credentials stolen through malware. Patient Records
Greenway Health Zephyrhills Patient Portal Patient portal was unsecure Patient Records
doTERRA Cloud hosted services Web application hacked Credit Card data and PII
CiCi’s Pizza Data point POS System Phish scam posing as technical service Credit Care and PII
Hard Rock Hotel Point of Sale System Hardware compromise (secondary affect*) Credit Care and PII
*Was not the initial target of the attack
CORL Technologies © All Rights Reserved
Grade Distribution of CORL Vendors Assessed
Vendors with an A3% Vendors with a B
7%
Vendors with a C46%
Vendors with a D44%
Vendors with an F1>%
GRADE DISTRIBUTION OF CORL VENDOR DATABASE
CORL Technologies © All Rights Reserved
Security Team Distribution of CORL Vendors Assessed
Vendors with Designated Security
Personnel39%
Vendors without Designated Security
Personnel61%
DISTRIBUTION OF CORL DATABASE VENDORS WITH AND WITHOUT DESIGNATED SECURITY PERSONNEL
Vendor Security Risk Management: What is the exposure?
CORL Technologies © All Rights Reserved
Breach Risk
Many of your vendors have inadequate
controls
Cannot transfer
notification and breach
response risk
Regulatory Risk
Limited reasonable & appropriate assurance /
willful neglect
Vendors are inconsistently
and infrequently
assessed
What are common weaknesses to vendor risk management?
CORL Technologies © All Rights Reserved
• Can’t see the forest for the trees…• Too busy gathering data…
…leaves limited time for risk management.
• Unclear objectives for vendor information risk management…
…‘check the box’ compliance or true reduction of risk?
• Lack of executive level reporting.
• Disconnect from contract management.
Weaknesses (cont.)
CORL Technologies © All Rights Reserved
• Data gathering is not aligned with objectives• Data does not support risk management decision making.
• Data transfers risk from the vendor to your organization!
• Data is gathered at a point-in-time.
• Data is not adequately verified, and could be unreliable or untrue.
• Overwhelming volume • Resource capacity cannot meet existing requirements.
• Vendors in areas such as healthcare, on average, score poorly on security risk measures.
• More due diligence is often required.
• Lack of cooperation from vendors
• Time consuming and unproductive to continually follow up with non-responsive vendors.
Weaknesses (cont.)
CORL Technologies © All Rights Reserved
• Leadership communication• Difficultly to accurately communicate risk exposure to leadership
• Communication is inconsistent
• Vendor communication and accountability• Communication is sporadic, inconsistent and unclear
• Absence of linkage between vendor information management failures and contract management
What’s the purpose of an assessment
CORL Technologies © All Rights Reserved
• Characterize the security risk
• Define where the risks are
• Minimize the security risks
• Reduce negative impact
• Eliminate risks to the organization
• Enforce security best practices and policy
Need to Maintain a Balance What to Protect and what to Defend
Protect Defend
Devices Risks
Threats
Vulnerabilities
Employees
Patients
Only data on Healthcare Vendors and their Products
CORL Technologies © All Rights Reserved
Technology companies
Business Services
Clinical services
Hardware• Network• Servers• Mobile
Enterprise Software• EHR• Portals• Financial
• Legal• Audit• Compliance• Consulting• Staff Aug.• Debt
Collection• Business
analytics• Paper storage
• Food service• Patient transport• Blood & Tissue• Transcription• Health Information
Exchange• Home Health• Imaging• Pharmacy• Registries• Release of Information• Decision Support• Prescription Analytics• Disease Management• Laboratory• Long-Term Care• Medical Supplies• Mental and Addiction• Retirement and Disability• Medical Supplies
Outsource• Hosting• Data storage
• ECG Data Management
• ICU Management• Population Health• Quality Management• Controlled Substance
Management Systems• Image Exchange• Surgery Management• Patient Engagement• Anesthesia• Cardiology• Laboratory• Pharmacy
Clinical Technology
# of Vendors
Many
Few
What assessments do for the business
CORL Technologies © All Rights Reserved
• Separate the business relationship from the risk to the business
• Leaders can make better decisions about the RIGHT vendor
• Specifically establishes what the vendor needs for access• Only give the vendor what they need • Determines if access is appropriate?• What do they actually need to provide the service?
• Promotes positive communication between IT, the Vendor and the business user
• Continues to ensure that acceptable levels of risk are maintained
• Protect our patients, our employees and our business partners
What happens if a Vendor Fails or is HIGH Risk
CORL Technologies © All Rights Reserved
• If Vendor is HIGH Risk• Robust mitigation plan is put in place• Work with legal to ensure vendor is obligated to make changes• Possible escalation to Sr. Leadership
• Vendor fails a risk assessment• Risk summary submitted to CIO for review• Strong recommendation made to CIO to not use vendor• Meet with Business Sponsor and provide same recommendation
• Is the Vendor critical to business operation but High Risk– What next?• Develop robust risk mitigation plan with vendor• Work with vendor, analyst and business unit on risks• Identify any residual risk • Reassess vendor’s security • Provide recommendation to CIO and business sponsor
Vendor Security Risk Management: What is the exposure?
CORL Technologies © All Rights Reserved
Vendor Security Assurance
CORL’s Data: Trending and Industry Specific
CORL Technologies © All Rights Reserved
Distribution of Vendors with and without a Security Certification
Common Assurances or Certifications
CORL Technologies © All Rights Reserved
• SOC 1 Type I or II (SSAE 18) focusing on controls only to the extent “material” to financial reporting
• SOC 2, Type I or II, covering security, availability, processing integrity, confidentiality and privacy• Type II means tested, Type I only noted as policy.
• HITRUST, Validated or Certified, comprehensive framework aligned with ISO and HIPAA
• ISO/IEC 27001:2013 int’l standard - certification for management frameworks for security. (ISO 27017 is new cloud-specific standard)
• PCI-DSS 3.0 standard: Security of payment networks.
• CSA Cloud Controls Matrix (CCM): cloud security playbook
• FedRAMP: federal standard
Common Assurances or Certifications – How to Review
CORL Technologies © All Rights Reserved
• Letter versus the report
• Scope• Hosted versus back-office
• Limited scope
• Timeframe• Testing period
• Qualifications / Control Exceptions• Material control failures
• Controls deemed not relevant to testing
Common Assurances or Certifications – How to Review
CORL Technologies © All Rights Reserved
• Management Response or Corrective Action Plan• Extent of remediation
• Timeframe
• Assessor Firm • Review testing approach
• Self test sample of “tier 1” controls
Common Assurances or Certifications – Example
CORL Technologies © All Rights Reserved
• Step through example certifications• SOC 2 Type 2
• HITRUST
• ISO 27001
Prioritize Where to Focus Assessments
CORL Technologies © All Rights Reserved
• Determining priority and frequency of vendor assessments based on inherent risk
• Vendors that handle the highest volume of sensitive data
• Vendors that provide the most critical services
• Vendors that have the most control of the data
• Vendor and product categories that show a trend of presenting a risk
• Types of vendors by age, size, geography that present a risk
Streamline Assessments
CORL Technologies © All Rights Reserved
• Pre-assessment data to support decision-tree approach to assessments• Leverage 3rd party assessments where possible
• Avoid adopting security programs of companies with no security resources
• Focus on vendor’s responsibility for providing assurance
• Focus on qualitative data, e.g., security leadership experience
• Focus on objective data, e.g., government exclusion, malware blacklist, vulnerability database
Monitor for changes in risk
CORL Technologies © All Rights Reserved
• Alerting on changes in key risk indicators
• Examples of monitoring:
• Mergers and acquisitions
• PHI or PII types of breaches
• Changes in security leadership
• Vendor incident reporting
• Change in risk by sub-contractor
Hold Vendor’s Accountable
CORL Technologies © All Rights Reserved
• Documented Remediation
• Timelines and status tracked and reported
• Processes to follow-up and request assurance of remediation
• Track sub-contractor dependencies
Communicate Effectively
CORL Technologies © All Rights Reserved
• Report to executive leadership and board level audiences level of vendor risk to the organization
• Report on progress and challenges in remediating risk
• Report on specific vendor relationships that require executive level engagement
Contact Information
CORL Technologies © All Rights Reserved
Cliff Baker
David Finkelstein