assessments for certified and non-certified vendors · assessments for certified and non-certified...

Assessments for Certified and Non-Certified Vendors

3rd party Vendors Security Risk Profile

CORL Technologies © All Rights Reserved

• 63% of all 2016 data breaches resulted from third party vendor’s risk • Small companies are high risk - security is secondary to customer service • 89 to 100 vendors access our network per week• 27% increase in data breaches resulting from 3rd parties since 2015• 3rd party vendors are the second largest risk to a health system

3rd Party Vendor Breaches in 2016

Business 3rd party system Security Threat Data Taken

Medical Informatics Engineering No More Clipboard Website was unsecure Patient Records

Bizmatic PrognoCIS Tool Credentials stolen through malware. Patient Records

Greenway Health Zephyrhills Patient Portal Patient portal was unsecure Patient Records

doTERRA Cloud hosted services Web application hacked Credit Card data and PII

CiCi’s Pizza Data point POS System Phish scam posing as technical service Credit Care and PII

Hard Rock Hotel Point of Sale System Hardware compromise (secondary affect*) Credit Care and PII

*Was not the initial target of the attack


Grade Distribution of CORL Vendors Assessed

Vendors with an A3% Vendors with a B

7%

Vendors with a C46%

Vendors with a D44%

Vendors with an F1>%

GRADE DISTRIBUTION OF CORL VENDOR DATABASE


Security Team Distribution of CORL Vendors Assessed

Vendors with Designated Security

Personnel39%

Vendors without Designated Security

Personnel61%

DISTRIBUTION OF CORL DATABASE VENDORS WITH AND WITHOUT DESIGNATED SECURITY PERSONNEL

Top 10 Riskiest Sectors


Top 5 Sectors with Least Variation


Vendor Security Risk Management: What is the exposure?


Breach Risk

Many of your vendors have inadequate

controls

Cannot transfer

notification and breach

response risk

Regulatory Risk

Limited reasonable & appropriate assurance /

willful neglect

Vendors are inconsistently

and infrequently

assessed

What are common weaknesses to vendor risk management?


• Can’t see the forest for the trees…• Too busy gathering data…

…leaves limited time for risk management.

• Unclear objectives for vendor information risk management…

…‘check the box’ compliance or true reduction of risk?

• Lack of executive level reporting.

• Disconnect from contract management.

Weaknesses (cont.)


• Data gathering is not aligned with objectives• Data does not support risk management decision making.

• Data transfers risk from the vendor to your organization!

• Data is gathered at a point-in-time.

• Data is not adequately verified, and could be unreliable or untrue.

• Overwhelming volume • Resource capacity cannot meet existing requirements.

• Vendors in areas such as healthcare, on average, score poorly on security risk measures.

• More due diligence is often required.

• Lack of cooperation from vendors

• Time consuming and unproductive to continually follow up with non-responsive vendors.

Weaknesses (cont.)


• Leadership communication• Difficultly to accurately communicate risk exposure to leadership

• Communication is inconsistent

• Vendor communication and accountability• Communication is sporadic, inconsistent and unclear

• Absence of linkage between vendor information management failures and contract management

What’s the purpose of an assessment


• Characterize the security risk

• Define where the risks are

• Minimize the security risks

• Reduce negative impact

• Eliminate risks to the organization

• Enforce security best practices and policy

Need to Maintain a Balance What to Protect and what to Defend

Protect Defend

Devices Risks

Threats

Vulnerabilities

Employees

Patients

Only data on Healthcare Vendors and their Products


Technology companies

Business Services

Clinical services

Hardware• Network• Servers• Mobile

Enterprise Software• EHR• Portals• Financial

• Legal• Audit• Compliance• Consulting• Staff Aug.• Debt

Collection• Business

analytics• Paper storage

• Food service• Patient transport• Blood & Tissue• Transcription• Health Information

Exchange• Home Health• Imaging• Pharmacy• Registries• Release of Information• Decision Support• Prescription Analytics• Disease Management• Laboratory• Long-Term Care• Medical Supplies• Mental and Addiction• Retirement and Disability• Medical Supplies

Outsource• Hosting• Data storage

• ECG Data Management

• ICU Management• Population Health• Quality Management• Controlled Substance

Management Systems• Image Exchange• Surgery Management• Patient Engagement• Anesthesia• Cardiology• Laboratory• Pharmacy

Clinical Technology

# of Vendors

Many

Few

What assessments do for the business


• Separate the business relationship from the risk to the business

• Leaders can make better decisions about the RIGHT vendor

• Specifically establishes what the vendor needs for access• Only give the vendor what they need • Determines if access is appropriate?• What do they actually need to provide the service?

• Promotes positive communication between IT, the Vendor and the business user

• Continues to ensure that acceptable levels of risk are maintained

• Protect our patients, our employees and our business partners

What happens if a Vendor Fails or is HIGH Risk


• If Vendor is HIGH Risk• Robust mitigation plan is put in place• Work with legal to ensure vendor is obligated to make changes• Possible escalation to Sr. Leadership

• Vendor fails a risk assessment• Risk summary submitted to CIO for review• Strong recommendation made to CIO to not use vendor• Meet with Business Sponsor and provide same recommendation

• Is the Vendor critical to business operation but High Risk– What next?• Develop robust risk mitigation plan with vendor• Work with vendor, analyst and business unit on risks• Identify any residual risk • Reassess vendor’s security • Provide recommendation to CIO and business sponsor

Vendor Security Risk Management: What is the exposure?


Vendor Security Assurance

Size Distribution of CORL Vendors Assessed


Certified CORL Vendors Assessed


CORL’s Data: Trending and Industry Specific


Distribution of Vendors with and without a Security Certification

Common Assurances or Certifications


• SOC 1 Type I or II (SSAE 18) focusing on controls only to the extent “material” to financial reporting

• SOC 2, Type I or II, covering security, availability, processing integrity, confidentiality and privacy• Type II means tested, Type I only noted as policy.

• HITRUST, Validated or Certified, comprehensive framework aligned with ISO and HIPAA

• ISO/IEC 27001:2013 int’l standard - certification for management frameworks for security. (ISO 27017 is new cloud-specific standard)

• PCI-DSS 3.0 standard: Security of payment networks.

• CSA Cloud Controls Matrix (CCM): cloud security playbook

• FedRAMP: federal standard

Common Assurances or Certifications – How to Review


• Letter versus the report

• Scope• Hosted versus back-office

• Limited scope

• Timeframe• Testing period

• Qualifications / Control Exceptions• Material control failures

• Controls deemed not relevant to testing

Common Assurances or Certifications – How to Review


• Management Response or Corrective Action Plan• Extent of remediation

• Timeframe

• Assessor Firm • Review testing approach

• Self test sample of “tier 1” controls

Common Assurances or Certifications – Example


• Step through example certifications• SOC 2 Type 2

• HITRUST

• ISO 27001

Prioritize Where to Focus Assessments


• Determining priority and frequency of vendor assessments based on inherent risk

• Vendors that handle the highest volume of sensitive data

• Vendors that provide the most critical services

• Vendors that have the most control of the data

• Vendor and product categories that show a trend of presenting a risk

• Types of vendors by age, size, geography that present a risk

Streamline Assessments


• Pre-assessment data to support decision-tree approach to assessments• Leverage 3rd party assessments where possible

• Avoid adopting security programs of companies with no security resources

• Focus on vendor’s responsibility for providing assurance

• Focus on qualitative data, e.g., security leadership experience

• Focus on objective data, e.g., government exclusion, malware blacklist, vulnerability database

Monitor for changes in risk


• Alerting on changes in key risk indicators

• Examples of monitoring:

• Mergers and acquisitions

• PHI or PII types of breaches

• Changes in security leadership

• Vendor incident reporting

• Change in risk by sub-contractor

Hold Vendor’s Accountable


• Documented Remediation

• Timelines and status tracked and reported

• Processes to follow-up and request assurance of remediation

• Track sub-contractor dependencies

Communicate Effectively


• Report to executive leadership and board level audiences level of vendor risk to the organization

• Report on progress and challenges in remediating risk

• Report on specific vendor relationships that require executive level engagement

Contact Information


Cliff Baker

[email protected]

David Finkelstein

[email protected]

assessments for certified and non-certified vendors · assessments for certified and non-certified...

Documents