To continue the conversation about the vulnerabilities in MHA’s and other hospital security systems that allow for the type of breach we saw at Mass General Hospital, I posed some questions to Christopher Ensey, chief operating officer of Dunbar Security Solutions.
[ See part 1 of this series: How to avoid being the next hospital breach ]
What are the increasing security issues with third-party vendor management for the healthcare industry?
You’re only as safe as your partner. Everyone involved with vendor management should develop a common, collaborative security strategy that includes layering new protections onto processes and policies to defend against information risk in the supply chain.
There is an inherent risk of working with anybody else, whether it is human to human communication as well as network ports and integrations that exist. Any time you do that, you open up another way to be compromised.
What about those companies that need to open up these ports?
You have the flow of communications set up so that you can continue to do the work you are doing. To improve the speed of business demands you share communication, but that communication needs to be closely watched, especially with third parties.
What does it mean to closely watch the communications?
Look at everything across their people, their process, and their technology. When you look at a third party, you're going to have to look at who the individuals are at other institutions that have access to what data and which applications. How are they shutting down? On the technology side, are they operating in security? Do they train?
It is very possible that there is someone--a bad actor, insider that can leverage that posture of trust needed so that you can do business together.
What about watching throughout the supply chain?
Most organizations are just waking up to going one layer deep. Whether they are going deeper is up to the amount of effort the company is putting in. More often, they are not. It really can depend on the length of the engagement.
Marketing is only going to go one layer deep if it's a two-week engagement like printing things or setting up mailers. The opportunity to do deeper level supply chain is lessened with the shorter relationship.
See if other third parties have potential risks by asking who is working with that organization. This will give you some sense of where the trail can lead in terms of where your data can end up. Having agreements in place about reporting centered around when/how/who can access is also a way to mitigate risk.
This isn't as simple as giving them a form to fill out and anticipating they are going to give you all the answers. You need to have resources set up that can give access to people, but set up solutions to enable processes without giving everything away. Leverage portals that gives access to third party without giving the whole kingdom.
Is there any sort of rating system, similar to a Better Business Bureau, by which enterprises can see that outside vendors are trustworthy?
There have been some attempts, but ratings are not in mass adoption. There have been attempts to establish something almost like the BBB of cyber threat, but there is not really one in particular that has taken hold or has potential to take hold. Asking about cyber insurance and being able to see certificates of insurance shows that they've been thoughtful. Use your own insurance provider--especially for the smaller vendors--because they are intimately tied.
This article is published as part of the IDG Contributor Network. Want to Join?