Our last few blogs have highlighted a number of highly-publicized data breaches that have seriously impacted the healthcare industry. These incidents have cost medical providers millions and increased the risk to patients' personal information. As we’ve discussed, many of these breaches could have been avoided if appropriate preventative measures had been taken.
How do you guarantee that you are not one of the “headlining hospitals” that exposes millions of patients’ PHI in a security breach? Well, you can’t--no one can--but a smart approach to security can drastically reduce the risk of disaster. From proper internal training to facilitating open discussions with current vendors about your security needs, you can ensure that your patients’ PHI is safe.
This blog post will give you five essential steps for checking and maintaining a secure environment with your third party vendors.
Step 1: Create a List of Your Vendors
This step may seem obvious, but it is worth emphasizing. Your hospital likely works with hundreds of vendors, and inviting them into your healthcare system has the potential to invite their vulnerabilities into your system as well. Take an example from the recent SolarWinds security breach. SolarWinds was highly trusted, working with hundreds of Federal Agencies and Fortune 500 companies; however, their firewall deficiencies allowed malicious code to be distributed to 18,000 of their customers. The very vendor that many used to protect themselves was in fact the conduit used by hackers to break into these organizations.
Don’t be afraid to carefully scrutinize your list of venders. Some will be obvious, like hosting companies and software companies, but others might require careful consideration. For example, your trash or dumpster service. At first, you might think there is no way this could pose a threat to your Information Security posture. And in MOST cases, you would probably be right. However, so many companies have gone “app-crazy” recently. Do they require your accounting department to pay via an app? Is there an app used to request special pickup times, or is that handled via a phone call? Are these apps providing hackers an easy pathway to your data? Make sure you get the whole story regarding the threat they might pose.
Step 2: Request the Information using a Security Questionnaire
Organize an effort to gather information about your vendor security through a simple security questionnaire. SecurityScorecard has a great example you can find HERE, or you can create your own to meet your specific needs. In their eBook, SecurityScorecard lists several resources you can also access below.
Top 5 Questionnaire Resources for IT Vendor Assessments:
- Center for Internet Security - https://www.cisecurity.org/
- National Institute of Standards and Technology (NIST) - https://www.nist.gov/cybersecurity
- Payment Card Industry Data Security Standards Council (PCI SSC) - https://www.pcisecuritystandards.org/
- Shared Assessments Group - https://sharedassessments.org/
- Vendor Security Alliance - https://www.vendorsecurityalliance.org/
For the most effective assessment, set and maintain a deadline for completion by the vendors. Categorize your questions, decide what you want to do with the responses, consider setting a remediation plan, and be prepared to draw a line in the sand with your vendor, which means also being prepared to look for a new, more secure vendor.
Step 3: Vendor Follow-up
Review your responses once you have them organized and discover your findings:
Does their security stance align with your needs? Is their security putting your organization at risk? If so, what specifically needs to be addressed? Do you see ways they can strengthen their security?
Use some of these questions to organize your thoughts to set forth a plan of action. Document your discoveries and follow up with your vendor to have a discussion. If they push back against what you have uncovered, request proof. Provide constructive and progressive communication with your vendors. Sometimes they will need your feedback to help improve their own security program.
This step should be positioned as a partnership with your vendors. Many of them will not have Info Sec capable staff, so your patience in dealing with them will help you get the results you are looking for.
Step 4: Respond to Security Risks
If issues exist, work with your vendor regularly on a plan with solid milestones to correct them. It is human nature to push things to the backburner if there isn’t a deadline. The date you set should be reasonable in terms of the time and effort required for your vendor to adequately address areas of weakness and make necessary improvements. Again, this is where taking a partnership approach will yield the best results. Many of your vendors will need some guidance on how to resolve security issues. It is also very helpful to them if you explain early on what you are happy with in terms of a solution. If you have checkpoint calls to discuss their challenges and progress toward compliance, it will help both sides continue to make regular strides and prevent frustration down the road.
Step 5: Schedule Security Reviews for the Following Year
Yearly reviews are the norm; however, most will tell you that the first year is the hardest to complete. In subsequent years, you are building from the previous year’s baseline. What changes were made? What services were expanded? Typically, vendors will spend a lot less time with the questionnaire, whereas implemented resolutions are simpler to review and usually apply to new security requirements that have come to light.
A final word from Access eForms CIO, Scott Fuller
“We know the importance of healthcare security and we want to make sure your hospital is safe. Whether you are using SecurityScorecard or another third party like them, free tools exist that will provide insight into your hospital’s own security for self-analysis before coming up with a strategy. Above all, the best way to protect your hospital against emerging security threats is by checking and monitoring connected vendors and using a plan of action as outlined.
We’re not an information security company, but if you think a vendor may be putting your business at risk, send us a list of up to five vendors, and we’ll send you their security scores for free so that together we can work towards a more secure environment. We are here to help.”
Like what you're reading?