Assessments for Certified and Non-Certified Vendors

Transcription

1 Assessments for Certified and Non-Certified Vendors

2 3rd party Vendors Security Risk Profile 63% of all 2016 data breaches resulted from third party vendor s risk Small companies are high risk - security is secondary to customer service 89 to 100 vendors access our network per week 27% increase in data breaches resulting from 3rd parties since rd party vendors are the second largest risk to a health system 3 rd Party Vendor Breaches in 2016 Business 3 rd party system Security Threat Data Taken Medical Informatics Engineering No More Clipboard Website was unsecure Patient Records Bizmatic PrognoCIS Tool Credentials stolen through malware. Patient Records Greenway Health Zephyrhills Patient Portal Patient portal was unsecure Patient Records doterra Cloud hosted services Web application hacked Credit Card data and PII CiCi s Pizza Data point POS System Phish scam posing as technical service Credit Care and PII Hard Rock Hotel Point of Sale System Hardware compromise (secondary affect*) Credit Care and PII *Was not the initial target of the attack

3 Grade Distribution of CORL Vendors Assessed GRADE DISTRIBUTION OF CORL VENDOR DATABASE Vendors with an F 1>% Vendors with an A 3% Vendors with a B 7% Vendors with a D 44% Vendors with a C 46%

4 Security Team Distribution of CORL Vendors Assessed DISTRIBUTION OF CORL DATABASE VENDORS WITH AND WITHOUT DESIGNATED SECURITY PERSONNEL Vendors with Designated Security Personnel 39% Vendors without Designated Security Personnel 61%

5 Top 10 Riskiest Sectors

6 Top 5 Sectors with Least Variation

7 Vendor Security Risk Management: What is the exposure? Breach Risk Regulatory Risk Many of your vendors have inadequate controls Cannot transfer notification and breach response risk Limited reasonable & appropriate assurance / willful neglect Vendors are inconsistently and infrequently assessed

8 What are common weaknesses to vendor risk management? Can t see the forest for the trees Too busy gathering data leaves limited time for risk management. Unclear objectives for vendor information risk management check the box compliance or true reduction of risk? Lack of executive level reporting. Disconnect from contract management.

9 Weaknesses (cont.) Data gathering is not aligned with objectives Data does not support risk management decision making. Data transfers risk from the vendor to your organization! Data is gathered at a point-in-time. Data is not adequately verified, and could be unreliable or untrue. Overwhelming volume Resource capacity cannot meet existing requirements. Vendors in areas such as healthcare, on average, score poorly on security risk measures. More due diligence is often required. Lack of cooperation from vendors Time consuming and unproductive to continually follow up with non-responsive vendors.

10 Weaknesses (cont.) Leadership communication Difficultly to accurately communicate risk exposure to leadership Communication is inconsistent Vendor communication and accountability Communication is sporadic, inconsistent and unclear Absence of linkage between vendor information management failures and contract management

11 What s the purpose of an assessment Characterize the security risk Define where the risks are Minimize the security risks Reduce negative impact Eliminate risks to the organization Enforce security best practices and policy Need to Maintain a Balance What to Protect and what to Defend Protect Devices Employees Patients Defend Risks Threats Vulnerabilities

12 Only data on Healthcare Vendors and their Products Technology companies Business Services Clinical Technology Clinical services Enterprise Software EHR Portals Financial Hardware Network Servers Mobile Outsource Hosting Data storage Legal Audit Compliance Consulting Staff Aug. Debt Collection Business analytics Paper storage ECG Data Management ICU Management Population Health Quality Management Controlled Substance Management Systems Image Exchange Surgery Management Patient Engagement Anesthesia Cardiology Laboratory Pharmacy Food service Patient transport Blood & Tissue Transcription Health Information Exchange Home Health Imaging Pharmacy Registries Release of Information Decision Support Prescription Analytics Disease Management Laboratory Long-Term Care Medical Supplies Mental and Addiction Retirement and Disability Medical Supplies Many # of Vendors Few

13 What assessments do for the business Separate the business relationship from the risk to the business Leaders can make better decisions about the RIGHT vendor Specifically establishes what the vendor needs for access Only give the vendor what they need Determines if access is appropriate? What do they actually need to provide the service? Promotes positive communication between IT, the Vendor and the business user Continues to ensure that acceptable levels of risk are maintained Protect our patients, our employees and our business partners

14 What happens if a Vendor Fails or is HIGH Risk If Vendor is HIGH Risk Robust mitigation plan is put in place Work with legal to ensure vendor is obligated to make changes Possible escalation to Sr. Leadership Vendor fails a risk assessment Risk summary submitted to CIO for review Strong recommendation made to CIO to not use vendor Meet with Business Sponsor and provide same recommendation Is the Vendor critical to business operation but High Risk What next? Develop robust risk mitigation plan with vendor Work with vendor, analyst and business unit on risks Identify any residual risk Reassess vendor s security Provide recommendation to CIO and business sponsor

15 Vendor Security Risk Management: What is the exposure? Vendor Security Assurance

16 Size Distribution of CORL Vendors Assessed

17 Certified CORL Vendors Assessed

18 CORL s Data: Trending and Industry Specific Distribution of Vendors with and without a Security Certification

19 Common Assurances or Certifications SOC 1 Type I or II (SSAE 18) focusing on controls only to the extent material to financial reporting SOC 2, Type I or II, covering security, availability, processing integrity, confidentiality and privacy Type II means tested, Type I only noted as policy. HITRUST, Validated or Certified, comprehensive framework aligned with ISO and HIPAA ISO/IEC 27001:2013 int l standard - certification for management frameworks for security. (ISO is new cloud-specific standard) PCI-DSS 3.0 standard: Security of payment networks. CSA Cloud Controls Matrix (CCM): cloud security playbook FedRAMP: federal standard

20 Common Assurances or Certifications How to Review Letter versus the report Scope Hosted versus back-office Limited scope Timeframe Testing period Qualifications / Control Exceptions Material control failures Controls deemed not relevant to testing

21 Common Assurances or Certifications How to Review Management Response or Corrective Action Plan Extent of remediation Timeframe Assessor Firm Review testing approach Self test sample of tier 1 controls

22 Common Assurances or Certifications Example Step through example certifications SOC 2 Type 2 HITRUST ISO 27001

23 Prioritize Where to Focus Assessments Determining priority and frequency of vendor assessments based on inherent risk Vendors that handle the highest volume of sensitive data Vendors that provide the most critical services Vendors that have the most control of the data Vendor and product categories that show a trend of presenting a risk Types of vendors by age, size, geography that present a risk

24 Streamline Assessments Pre-assessment data to support decision-tree approach to assessments Leverage 3 rd party assessments where possible Avoid adopting security programs of companies with no security resources Focus on vendor s responsibility for providing assurance Focus on qualitative data, e.g., security leadership experience Focus on objective data, e.g., government exclusion, malware blacklist, vulnerability database

25 Monitor for changes in risk Alerting on changes in key risk indicators Examples of monitoring: Mergers and acquisitions PHI or PII types of breaches Changes in security leadership Vendor incident reporting Change in risk by sub-contractor

26 Hold Vendor s Accountable Documented Remediation Timelines and status tracked and reported Processes to follow-up and request assurance of remediation Track sub-contractor dependencies

27 Communicate Effectively Report to executive leadership and board level audiences level of vendor risk to the organization Report on progress and challenges in remediating risk Report on specific vendor relationships that require executive level engagement

28 Contact Information Cliff Baker David Finkelstein