Third-party vendor risk guidance from Renown Health's CISO
Photo: zf L/Getty Images
Data breaches are at an all-time high across all sectors, especially healthcare with its treasure trove of private data.
Many bad actors are entering networks through third-party entities. Healthcare provider organizations are especially vulnerable as they possess a vast amount of sensitive and valuable data – and because third-party vendors have become so critical to healthcare infrastructure.
Risk management of this kind poses a unique challenge and it's critical that security leaders understand how to properly select and vet third-party vendors.
A CISO with plenty of experience
Steven Ramirez is chief information security officer at Renown Health and one of three panelists during the educational session entitled "Making Third Party Risk Management a Priority" at the HIMSS Healthcare Cybersecurity Forum, December 5-6 in Boston. In his role as CISO for a health system, Ramirez knows plenty about third-party risk.
For example, he knows why so many bad actors are entering healthcare information networks via third-party vendors.
"Control and minimize access to align to a Zero Trust model."
Steven Ramirez, Renown Health
"For cost savings measures and to lighten healthcare organizations' on-premises infrastructure footprint, and because of the move to the cloud and SaaS-based solutions as part of the digital transformation, healthcare organizations now are more vulnerable to all of these vendors' security postures," Ramirez explained.
"The main reasons are vendors have not been properly governing or monitoring access," he continued. "In addition, these third-party vendors also outsource components of their programs to other entities, creating, essentially, fourth-party risk. This just expands the overall attack surface and makes oversight more difficult."
A three-pronged security strategy
What can healthcare provider organizations do to prevent or at least lessen bad actors coming in through third-party vendors? Ramirez said it comes down to a three-pronged strategy.
"There needs to be a balance of people, process and technology," he contended. "Vetting vendor access, monitoring, and putting in safeguards to minimize access and capabilities are key. There needs to be a focus on minimally necessary use of PAM. Also, early detection is key to the success of identifying anomalies."
CISOs and other healthcare security leaders shopping for vendors have to know how to lessen their risk.
"Having a process to review vendor access and ensure we use targeted access and tools to minimize access and make sure we monitor that access, that is what is required," Ramirez said.
Best practices for risk management
He offers a few examples of best practices for managing third-party risk.
"Vendor discovery – understand what your vendors are doing for you and what access they need," he spelled out. "Have vendors complete a security assessment. Rank vendors that are at the highest risk.
Control and minimize access to align to a Zero Trust model.
"And continuously monitor and assess your critical vendors," he concluded.
The HIMSS 2022 Healthcare Cybersecurity Forum takes place December 5 and 6 at the Renaissance Boston Waterfront Hotel. Register here.
Twitter: @SiwickiHealthIT
Email the writer: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.