Managing the Evolving Cyber Risk Posed by Third PartiesKathy Hughes, CISO of Northwell Health, on the Importance of Vetting Vendors
As major cyber incidents involving vendors surge, healthcare entities must carefully and continuously scrutinize the security practices of their third-party vendors, says Kathy Hughes, CISO of Northwell Health, the largest healthcare system in New York.
"All vendors pose risk because you don't have direct control and oversight over what they do and how they do it," she says in an interview with Information Security Media Group conducted during a recent HIMSS cyber forum in Boston.
So, it's critical for organizations - before they on-board any type of third-party vendors - to perform an assessment or evaluation to see whether the vendor meets the healthcare entity's security standards, including having appropriate controls in place for protecting sensitive information, Hughes says.
Entities should not only conduct an initial assessment but have ongoing scrutiny of their vendors, she adds. "The threat landscape does continually change, which means the vendors have to change, and we have to change in how we monitor them." Also, healthcare entities must keep vendors top of mind in their business continuity planning, she says.
"When there's any type of breach or incident at a vendor you rely on to provide certain services, that causes operational disruptions. To compensate for that, you have to make sure you have appropriate business continuity plans in place and that you can continue to provide clinical care services or whatever other types of services the [affected] vendor would provide, in case they have a disruption."
In the interview (see audio link below photo), Hughes also discusses:
- Other top cyber risk management issues involving vendors;
- Cyber risk considerations involving mergers and acquisitions in the healthcare sector;
- Cyber challenges in the year ahead.
Hughes is vice president and CISO at New York-based healthcare delivery organization Northwell Health. Prior to joining Northwell Health, she worked at healthcare technology vendor Allscripts, where she managed the infrastructure services operations and engineering teams for North Shore-LIJ, which is now Northwell Health. Before that, Hughes held roles responsible for overseeing the global data network and infrastructure services support teams at cosmetics maker The Estée Lauder Companies and at Stony Brook University Hospital.