A CISO Offers Insights on Managing Vendor Security Risks

Because vendors were implicated in many of the largest health data breaches in 2019, it's more critical than ever for healthcare organizations to manage the security risks posed by their suppliers, says Erik Decker, CISO and chief privacy officer at the University of Chicago Medicine.

For instance, a cyberattack discovered earlier this year on debt collection firm American Medical Collection Agency impacted more than two dozen of its clients and more than 20 million patients - making the incident the largest health data breach this year.

"You should absolutely be applying some third-party risk assessment methodology," Decker stresses in an interview with Information Security Media Group. "Look at these third-party organizations and understand what type of security practices they have in place. You need to understand what kind of data you're putting into those systems and how important these third-party suppliers are to your operations."

For inherently high-risk vendors, he says, organizations should "have a corresponding level of scrutiny and control around how those vendors are actually applying security around your systems, or as an entry point into your environment."

Contract Terms

Organizations need to ensure that the terms and conditions that they include in their contracts with vendors "not only have some technical components about the data that's going into their environment, [but also] the components where they're connecting to, a back channel," he says. They not only need to specify what kinds of controls they want vendors to have in place, but also "make sure there are the appropriate liabilities that are truly accounted for in that contract," he adds. "What it comes down to is limiting liability and indemnification - and who is actually responsible and accountable - and to what level and degree [if there is a breach]."

In the interview (see audio link below photo), Decker also discusses:

• Other suggestions for managing vendor security risks;
• The growing and increasingly complex threat of ransomware and other criminal cyberattacks;
• Security risk and threats involving medical devices;
• His organization's top security priorities and projects in the new year.

Decker, the CISO and privacy officer at academic healthcare delivery system the University of Chicago Medicine, was recently named health information security innovator of the year by the Association for Executives in Healthcare Information Security, a sister organization of the College of Healthcare Information Management Executives. Decker was honored by AEHIS for his work as co-chair of a cybersecurity advisory panel to the Department of Health and Human Services, which in 2018 collaborated on the release of guidance, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.