Healthcare CISO: Understand Your Digital Vendors' SecurityHow to Prevent Gaps in Vendors' Cybersecurity Strategy From Affecting Your Business
Digital health solutions continue to change care delivery for the better, but they have also brought an explosion of new data, more data sharing with third parties, and an increasingly complex attack surface.
Understanding how your digital health vendors approach cybersecurity, assess and respond to risk, and plan for incident response is critical to protecting your organization. A gap in their cybersecurity strategy could equal a weakness in yours - unless you know about it and account for it.
What to Look for in a Vendor's Cybersecurity Strategy
How do you tell the difference between a digital health leader who has learned to tell a great story and one who understands the connection between cybersecurity and patient safety and takes their role in it seriously?
Here is a set of steps to follow:
Evaluate the maturity - not the existence - of their security program.
You need to know if a vendor has a reasonable and appropriate level of security program maturity and what it looks like.
Some vendors incorrectly think that using a cloud services provider such as Amazon Web Services, or AWS, which is a HIPAA-compliant environment, means they can check security concerns off their must-do list. The reality is that vendors need additional controls to protect that environment; they should be constantly monitoring it for changes and adjusting controls and processes as necessary.
Be sure to ask the following questions:
- Are you using an established framework, for example, the NIST Cybersecurity Framework?
- Do you have a baseline set of controls that represents an appropriate security level?
- How is security incorporated into your software development life cycle, or SDLC?
- What do your vulnerability management and patching processes look like?
- Are you penetration-testing your controls to see if an attacker can exploit vulnerabilities?
- Do the controls work as intended?
Be cautious of these common vendor pitfalls:
- Exaggerating which controls or security programs they have in place; Referring to SOC2 or HITRUST reports that only cover certain areas or parts of a business or technology and aren’t in scope for their relationship with your healthcare organization;
- Lacking or immature HIPAA compliance programs even though they actively receive ePHI. Some vendors are willing to sign business associate agreements even when their program doesn’t support required ePHI security and privacy protections.
Weigh the risks vs. the value of the technology.
This may seem obvious, but it's worth thinking about the risk a technology brings into your organization relative to the value it offers.
Ask the following questions:
- What is the impact of your technology on our business or clinical processes?
- If data flows through your systems, where is the data coming from? How is it accessed? Where is it going? Where is it stored? What is created?
- Do you perform ongoing risk analysis? Do you have your own risk management program? Do you understand your organization’s unique vulnerabilities and threats? Are you monitoring continuously? What methodology do you use?
- What risk will a device introduce when connected to infrastructure? Can it break something?
- Do you have cybersecurity insurance? If so, how does your policy address assumption of liability?
Red flags to watch for:
- Offshoring data storage or resources;
- Slow response to a security questionnaire or lack of transparency during a risk assessment;
- Lack of flexibility when it comes to risk remediation.
3. Gain a solid understanding of their incident response and resiliency plans.
How a vendor plans to isolate and mitigate an active threat or attack, notify their partners and reduce downtime can have a significant effect on your organization if it experiences a cyberattack or breach.
Ask these questions:
- Do they have disaster recovery, incident response and/or business continuity plan(s) to account for disruptions such as a ransomware attack or a natural disaster?
- How do they monitor their environment for threats, and how do they respond?
- What is their ability to recover from an attack? Will their platform or solution be available, and how will availability be affected during a security incident?
- What is their ability and willingness to notify you and collaborate during an incident?
If you want to learn more about vendor risk management, numerous resources are available at Clearwatersecurity.com.