Carrie Whysall, Director of Managed Security Services for CynergisTek joins us to discuss supply chain and third-party risks and why managing the level of risk brought into your organization is so important. Carrie breaks down the impacts your organization could be facing due to the COVID-19 pandemic. She will examine the importance of vendor security management and the process of building and maintaining relationships with your vendors to ensure you have a clear understanding of the services being provided and the risks that may be inherent in that relationship with the vendor, especially in regards to new telehealth vendors you may be using during the COVID pandemic. Carrie will also discuss what an effective VRM program entails and how your VRM program can help you determine, manage, and monitor potential third-party risks.
Links to slides:
To view Carrie’s slides via Slideshare visit: https://insights.cynergistek.com/slideshares/supply-chain-and-third-party-risks-during-covid-19
Hello and welcome to CTEK Voices: The Risk Respective. I’m your host Lauren Frickle. Today I’m joined by Carrie Whysall, CynergisTeks Director of Managed Security Services. Carrie has over 25 years of experience in health care information security services and is responsible for driving the success of CTEK’s security services.
Hi, Carrie, welcome to the risk perspective. We’re happy to have you here today!
Hi everyone, I’m Carrie, and thanks for that great intro Lauren!
As Lauren explained to you, I’m Carrie Whysall and today I’d like to talk to you about why managing the level of risk brought into your organization is so important as well as what the impacts your organization could be due to the pandemic known as COVID-19.
We all know that we’ve been asked to go above and beyond during this crisis. While we always want to strive to be there for our customers, we also know that rush processes and new technologies such as telehealth are being implemented without are normally strict guidance and adherence of security.
If you had to onboard a vendor for telehealth services during this pandemic, you most likely did not vet them as fully as you would have liked to. Another area of concern around our vendors is ransomware and phishing while you may be taking extra care and precautions for your own networks. Do you know if your vendors are doing the same do, they even have the capability to handle these types of events? How closely connected to your network are they? Is there any possibility of a vendor infecting your network? Do you even know where to look to see which vendors are the most likely to be a high risk to your organization if you needed that info today? If any of the answers to these last two questions were no or I’m not sure, it’s time to take a closer look at your vendor management toolkit.
First, let’s take a second and talk about what vendor risk management is at its core. It’s really the process of building relationships with your vendors. This includes creating both formal and informal processes that protect and enhance the organizational strategies for both parties in the relationship. The goal here being having a transparent relationship that allows for a better understanding of the services provided and the risks that are inherent in that relationship.
The reason that having a transparent relationship is so important is because the risk is so high. Let’s talk about some of the most recent breaches that a few of your peers have experienced in order to help us put this into a little bit better perspective. Health Alliance plan on March 6th, 2019, this breach of 120,000 records was caused by ransomware, that their third-party vendor Wolverine solutions Group became infected with. The same third-party vendor was also the cause of a breach at Spectrum Health Lakeland. Now, this one’s very concerning because not only did they get patient data, they got detailed provider info as well.
Next up is the Federal Emergency Management agency also known as FEMA. On March 22nd, 2019, this breach of 2 ½ Million records is just wrong in so many ways. It isn’t enough that these victims were traumatized by hurricanes. They were also victimized the second time when a contractor being used by FEMA didn’t protect the information that was provided to them. Now, let’s look at what happened to Quest Diagnostics on June 3rd, 2019. This one is particularly nasty as the breach occurred because a hacker took control of a payments page that was being hosted by AMCA which is a third-party billing vendor used by Quest. Almost 17 million records or exposed.
Lastly, we look at Essentia Health on July 10th, 2019. This breach was due to their third-party vendor, California reimbursement Enterprise being the victim of a phishing attack. It’s been nine months and they’re still unclear as to how many records were actually exposed.
These are just a few of the more recent examples of risk resulting in breaches that were caused by our vendors not having the appropriate security controls in place to secure the data that we entrust to them. None of us are likely to forget the target breach caused by an HVAC vendor or the impact that the nuance outage of their entire data center had on all of their customers.
Could any of these been avoided or even slightly mitigated if more customers were assessing their third-party vendor security programs and insisting on remediation were significant issues were found? I truly believe they could have been! Just think if any of the nuance customers knew that they did not have appropriate plans in place to detect and isolate the not patch of virus that was introduced into their environment. Would we still have chosen them as our dictation vendor?
If they had responded to an assessment that they did not have an incident response plan that directly addressed how to respond to a cyber threat effectively. Perhaps we would have at a minimum given them a timeframe to remediate that gap. I would venture to take it a step further and say that most of us didn’t even list them as a tier-one vendor because we were unclear about the major impact this would have on our operations. They estimated this to be a 92 million dollar loss just to themselves, let alone what their customers lost an unrecognizable revenue during their new nearly two-month-long outage.
All the scary statistics aside, what we’re really trying to accomplish with a VRM program is to maintain a good relationship with our vendors. We also know that we have an obligation to keep our covered entities’ data safe. The best way to do that is with an effective VRM program. An effective VRM program starts by comprehensively determining potential third-party risk, including process risks political risk, unwanted functions, contract risks, legal as well as regulatory issues for non-compliance, and information system failures. This risk identification procedure should be followed by an evaluation of the precise drivers that increase third-party risk.
So, how do we do that you might ask? Well. it starts with four basic tasks. Compile, classify, assess, and decide. Let’s take a closer look at each of these tasks.
Compile. It is implementing the program by knowing all of your vendors start with your finance or your accounting contracts to see what they have. Next up, you need to classify those vendors need to be classified by how much potential risk, they pose to the organization. The potential risk is based on the potential impact that a breach involving the vendor would have on the organization annually. This step is critical to success and should not be decided by it alone. Although, if you have a current mission-critical and or business-critical list of applications that is a great place to start.
Assess. There are typically two types of assessments that correspond with the two classifications determined in the vendor classification form and each classification follows a different assessment process. For low-risk offenders, you might be able to complete the questionnaire with information known internally to your organization. Once completed the questionnaire should be saved with the vendors’ classification form and reviewed annually. For high or critical risk vendors it will require a more formal process which should include documented responses from the vendors. Next, you got to make a decision for each of the hangers’ vendors a decision must be made of what to do with the risk discovered through the assessment process. Risk accepted you could accept the risk as is without any additional effort on the part of the organization or the vendor. Risk accepted but with a remediation plan or risk unacceptable. There are two options for the risk unacceptable option. Work with the vendor to get remediation or mitigation completed on their side or you could decide to terminate the contract based on risk and follow the terms set forth in the contract regarding termination of services.
You should note one of the biggest mistakes and entity can make in this phase is creating a relation really edit you should note one of the biggest mistakes and entity can make in this phase is creating a remediation plan without follow-through. Nothing stings more than having an exposure risk come back to bite you because you didn’t complete the remediation plan.
Now if we talk a little bit deeper on the types of assessments, there’s two that really come to mind.
A procurement assessment, this is typically a shorter assessment that’s based primarily on the organization’s security policy with focus on technology, data storage, and connectivity requirements. The goal here being that a quick decision on whether or not to use this product from a particular vendor is made.
HIPAA Based Risk Assessments. These are typically much longer assessments that focus on a much broader range of HIPAA regulations. The questionnaires are more in-depth and typically require detailed responses from a vendor. These are assessments are also typically where risk level is assigned to a vendor.
Now, let’s talk about what some of the challenges of having a VRM program are. The first are obviously the process issues making sure you’re asking the right questions. Having access to the contract documents. Getting the correct documents back from the vendors. Getting responses from a vendor in a timely manner. Ensuring that going forward you update new contracts with requirements for meeting your security requirements and retaining the ability to assess or audit your vendors periodically. Adding automation where you can and then you also need to think about effective use of the data you’ve gathered. You have a lot of information at your fingertips.
Once you’ve completed an assessment where else could this data be helpful to your organization. Could you use it in some of your socks and feeds and analysis? Could you use it to help validate your cyber insurance claims for each year? Could you use it in the supply chain to help narrow down what number of vendors you want to have for a particular application? These are all possibilities and you have a tremendous amount of data at your fingertips once you’ve completed the assessment.
Staffing is also another area where we need to take a look at. As you may have guessed already vendor management can have a significant impact on staffing. Most entities do not have additional bodies to pull for these efforts, especially right now while we’re struggling to staff COVID units while having to institute furloughs in our elective procedure areas.
At first, the typical attempt is to assign portions of existing staff to this activity. These are usually either existing security or compliance staff early efforts can be Excel spreadsheets, access databases, but usually they’re all tracked manually. So, what can you do or where can you look for help to make this process easier on your organization?
Outsourcing! Outsourcing can be an excellent option for risk assessment work. It allows an organization to leverage the experience and existing vendor relationships the outsourcer already has. It provides the benefit of access to subject matter experts no need to train existing staff on any of the processes. The agreement should contractually set SLA’s and turnaround times for expedited requests. A higher number of assessments can be completed as the outsourced staff is working full-time on them, not as part of another role.
Standardized risk evaluation, typically through the use of templates. Which include critical, high, moderate, and low findings and should also include clear definitions of each of those values. Assigning the assessment portions to a partner allows you to focus on their own mediation plans and tasks instead of time on the phone or an email tracking down answers from a particular vendor.
So, I hope that this conversation today was helpful and provided some insight into the world of vendor security management for you. I know we all have a lot going on right now and the thought of starting a new program or even enhancing the one you currently have may feel a bit overwhelming. But even if you don’t have the ability to act on it, I hope something I said sticks with you. And the next time someone says, “I’m not worried about security right now we have patience to deal with”, you might pause and ask just maybe one or two questions more than you would have yesterday about the security of the new vendor you have to now on board in a hurry.
Great, thank you so much for the best practices Carrie and just a little more explanation of the importance of vendor risk management, especially during the time of the coronavirus.
Few questions for our listeners and kind of on behalf of CynergisTek if you have the time?
Okay! So, question one. In light of the current budget constraints and redirection of funds, current organizations are going through what can organizations do to at least get a better understanding of the risks that exist in their organizations?
Well, I’d start by taking a look at any new vendors that you had to on-board during the pandemic. Pay close attention to those that have the ability to store or process PHI. Remember that PHI is not only stored in applications it can be on VoIP servers in shared databases. Did you set up any new HIE feeds that included COVID data? Did you strictly enforce your normal level of scrutiny about identifying that data? Those would be the places that I would look to start.
Great, thank you. Another question when things calm down and hopefully get somewhat back to normal and organizations start to look for assistance with their programs. Will the work that they have done so far still be a value?
Absolutely! Any questionnaires or existing data that you have should be able to either be imported or transcribed into whatever tool your choice of vendor is using. They should be asking to see your current assessment and helping you decide whether you should continue with those questions or if you should consider one of their existing templates to help broaden the level of questions that you’re asking.
With that, I thank you once again, Carrie, for the helpful information on vendor risk management.
Note for our listeners, if you would like more information or would like to discuss your organization’s vendor risk management processes. Please reach out to us via email. You can contact us at email@example.com or visit our website www.cynergistek.com.
Thanks, Carrie, and thank you again for listening.