Academic Medical Centers & Vendor Security: Most Comprehensive Study to Date

Similar documents
HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

PLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1

Background FAST FACTS

locuz.com SOC Services

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

2017 RIMS CYBER SURVEY

Background FAST FACTS

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

FDA & Medical Device Cybersecurity

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

INTELLIGENCE DRIVEN GRC FOR SECURITY

Security and Privacy Governance Program Guidelines

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

The Relationship Between HIPAA Compliance and Business Associates

CCISO Blueprint v1. EC-Council

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

HITRUST Common Security Framework - Are you prepared?

SURVIVING THE CYBERPOCALYPSE. Craig Felty Vice President, Patient Care Services Hancock Regional Hospital

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Model Approach to Efficient and Cost-Effective Third-Party Assurance

Cybersecurity in Higher Ed

All Aboard the HIPAA Omnibus An Auditor s Perspective

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

How to Prepare a Response to Cyber Attack for a Multinational Company.

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

What It Takes to be a CISO in 2017

DeMystifying Data Breaches and Information Security Compliance

HEALTH CARE AND CYBER SECURITY:

Department of Management Services REQUEST FOR INFORMATION

Campus IT Modernization OPERATIONAL CONTINUITY FLEXIBLE TECHNOLOGY MODERNIZED SYSTEMS

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow

An Integrated Approach to Technology Risk Management and Compliance

HIPAA Privacy, Security and Breach Notification

Putting It All Together:

PULSE TAKING THE PHYSICIAN S

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

The Future of HITRUST

Oracle Buys Automated Applications Controls Leader LogicalApps

Cyber Risks in the Boardroom Conference

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

Cybersecurity. Securely enabling transformation and change

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

Securing Data in the Cloud: Point of View

Implementing an Audit Program for HIPAA Compliance

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Compliant. Secure. Dependable.

A Global Look at IT Audit Best Practices

The simplified guide to. HIPAA compliance

Technology Security Failures Common security parameters neglected. Presented by: Tod Ferran

The McGill University Health Centre (MUHC)

Business continuity management and cyber resiliency

Privacy and Security in the Age of Meaningful Use

ips.insight.com/healthcare Identifying mobile security challenges in healthcare

BHConsulting. Your trusted cybersecurity partner

Is Your Compliance Strategy Putting Your Business at Risk?

Cyber Secure Dashboard Cyber Insurance Portfolio Analysis of Risk (CIPAR) Cyber insurance Legal Analytics Database (CLAD)

Avanade s Approach to Client Data Protection

Technology General Controls and HIPAA Security Compliance: Covering the Bandwidth in One Audit

HIMSS 15 Doing Better Business in the Era of Data Security and Privacy

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Securing Your Digital Transformation

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

HCISPP HealthCare Information Security and Privacy Practitioner

Healthcare in the Public Cloud DIY vs. Managed Services

HITRUST CSF: One Framework

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

CipherCloud CASB+ Connector for ServiceNow

Security and Privacy Breach Notification

Ο ρόλος της τεχνολογίας στο ταξίδι της συμμόρφωσης με τον Γενικό Κανονισμό. Αντιγόνη Παπανικολάου & Νίκος Αναστόπουλος

University of Pittsburgh Security Assessment Questionnaire (v1.7)

The HIPAA Omnibus Rule

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

Global Security Consulting Services, compliancy and risk asessment services

White Paper. View cyber and mission-critical data in one dashboard

WHITE PAPER. Title. Managed Services for SAS Technology

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

The Impact of Cybersecurity, Data Privacy and Social Media

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Cyber Security in Smart Commercial Buildings 2017 to 2021

Cyber Diligence. EY Deals Forum Ian McCaw EY Transaction Advisory Services

SECURETexas Health Information Privacy & Security Certification Program

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Saving Time Amanda McPherson, CCBIA Vice President/Internal Audit Manager Colorado East Bank & Trust

ISE North America Leadership Summit and Awards

Accelerate Your Enterprise Private Cloud Initiative

Data Compromise Notice Procedure Summary and Guide

Exploring Emerging Cyber Attest Requirements

Transcription:

Academic Medical Centers & Vendor Security: Most Comprehensive Study to Date NCHICA Meeting June 2018 Michelle Allar, Quality and Risk Management Manager Wake Forest Baptist Medical Center MAllar@WakeHealth.edu Jay Stewart, Accounts, Markets, & Partners CORL Technologies Jay.Stewart@CORLtech.com CORL Technologies All Rights Reserved

Academic Medical Centers & Vendor Security: Most Comprehensive Study to Date Contents 1. Introduction 2. Unique Challenges for AMC 3. AMC Vendors 4. Security Risk Exposure 5. Assessment of Vendors 6. VSRM Practices Used 7. Looking Forward 2 CORL Technologies All Rights Reserved

Introduction CORL Technologies Jay Stewart CORL works with Health Plans, Providers, and Academic Medical Center (AMC) organizations on their vendor security risk management (VSRM) programs. Extension of internal AMC organization teams Insight into AMC organization practices deployed to manage vendors Data on security practices of vendors providing products and services to AMC organizations Data study providing insights on the types of vendor security practices deployed by AMC organizations that are CORL Clients. Types of vendors that are emerging as the highest threats Benchmark vendor security risk management practices Vendor vulnerabilities to focus and prioritize AMC organization vendor security efforts in 2018 CORL Partnerships GRC Solutions Risk Scoring Companies Consortiums CORL Services Global Onsite Audits Privacy Audits Staff Augmentation On Premise Assessments Data-based CORL Research & Studies Benchmark Vendor Industry Practices 3 CORL Technologies All Rights Reserved

Introduction Wake Forest Baptist Medical Center Michelle Allar Wake Forest Baptist Medical Center is a nationally recognized academic medical center in Winston-Salem, N.C., with an integrated enterprise including educational and research facilities, hospitals, clinics, diagnostic centers, and other primary and specialty care facilities serving 24 counties in northwest North Carolina and southwest Virginia. Our Winston Salem Campus: Total Medical Center Workforce 14,000+ Licensed Beds 885 Inpatient Admissions 40,810 Observation Patients 8,883 Emergency Department Outpatient Visits 110,602 Other Outpatient Visits (includes ambulatory visits and outpatient departments) 171,619 Total Research Awards $177.3 million 4 CORL Technologies All Rights Reserved

Introduction Wake Forest Baptist Medical Center Michelle Allar Wake Forest Baptist Medical Center is a growing health system. 2016 The five-floor, 168,000-square-foot Bowman Gray Center for Medical Education opens in Wake Forest Innovation Quarter. The Medical Center purchases Cornerstone Health Care, a practice group with more than 275 providers in approximately 50 locations. 2017 A 50-bed, 78,000-square-foot inpatient wing opens at Wake Forest Baptist Health Davie Medical Center, consolidating all of the hospital s services at the Bermuda Run campus. On July 1, 2017, the 130-bed Wilkes Regional Medical Center becomes Wake Forest Baptist Health Wilkes Medical Center. The 30-year lease agreement with the Wilkes Regional officials and the Town of North Wilkesboro includes expansion of specialty care with improved patient access close to home in the Wilkes County community. 5 CORL Technologies All Rights Reserved

Data Study: Academic Medical Centers & Vendor Security Contents 1. Introduction 2. Unique Challenges for AMC 3. AMC Vendors 4. Security Risk Exposure 5. Assessment of Vendors 6. VSRM Practices Used 7. Looking Forward

Unique Challenges for AMC Presented by Michelle Allar, Quality and Risk Management Manager at Wake Forest Baptist Medical Center AMC Complexity: Data intensive environment Not all procurement through a central department In addition to regulatory data challenges risks to theft of intellectual property Users/researchers may not be employees of the AMC Exploding growth of data analytics firms offering value for access to data Gray line between IRB approved research and for profit analytics 7 CORL Technologies All Rights Reserved

Unique Challenges for AMC Presented by Michelle Allar, Quality and Risk Management Manager at Wake Forest Baptist Medical Center AMC Vendor Security Risks: Non standard or hardened systems procured and implemented by Researchers Black box systems on the network that are not managed by health system and have security vulnerabilities Inability to track and monitor the flow of information to external entities (especially 4th party vendors) Vendors with no or minimal security capabilities POLL! 8 CORL Technologies All Rights Reserved

Data Study: Academic Medical Centers & Vendor Security Contents 1. Introduction 2. Unique Challenges for AMC 3. AMC Vendors 4. Security Risk Exposure 5. Assessment of Vendors 6. VSRM Practices Used 7. Looking Forward 9

Overview of Data AMC Vendors in CORL Database Over 40,000 vendors in CORL database 20,000 AMC vendors CORL Assessment risk findings and desktop audit results Practices from ~20 AMC CORL clients 10 CORL Technologies All Rights Reserved

Are AMC Organizations Using the Same Vendors? AMC Vendors in CORL Database Of the 20,000 vendors supplied to CORL by AMC clients, 23% of vendors appear on multiple Vendor Lists. Average AMC vendor list 2000 vendors 11 CORL Technologies All Rights Reserved

Vendors Appearing on Several AMC Vendor Lists AMC Vendors in the CORL Database Some vendors are pervasive and appear on almost every AMC CORL Client vendor list Of the vendors on multiple vendor lists, the most common products and services contracted are: Medical Devices Medical Supplies Healthcare Consulting Healthcare Conglomerates 12 CORL Technologies All Rights Reserved

Types of Vendors With access to AMC data per CORL Database 13 CORL Technologies All Rights Reserved

Vendor Portfolio: Size AMC Vendors in the CORL Database AMCs do a lot of business with small business vendors; over half of AMC vendors provided to CORL on Vendor Lists are 50 employees or less. POLL! 14 CORL Technologies All Rights Reserved

Vendor Portfolio: Geographical Scope AMC Vendors in the CORL Database A clear majority of AMC vendors are National, meaning they maintain all physical office locations within the United States of America. 15 CORL Technologies All Rights Reserved

Data Study: Academic Medical Centers & Vendor Security Contents 1. Introduction 2. Unique Challenges for AMC 3. AMC Vendors 4. Security Risk Exposure 5. Assessment of Vendors 6. VSRM Practices Used 7. Looking Forward

Across the AMC Portfolio Security Risk Exposure CORL Risk Calculation: Likelihood security capabilities of a vendor Impact volume of PHI at risk of a breach Overall Risk of Breach Likelihood x Impact = Risk 17 CORL Technologies All Rights Reserved

1. Medical Devices * Top 10 Vendors Types 2. Revenue Cycle & Business Process Security Risk Exposure: Likelihood of Breach Likelihood = security capabilities of a vendor Vendors that provide these types of products and services are more likely to experience a breach. * AMCs have 3x more Medical Device vendors than the second highest sector Rev Cycle in Likelihood of Breach 3. Durable Medical Equipment 4. Business Intelligence / Analytics 5. Financial Services 6. Supply Chain Services 7. Healthcare Consulting 8. Legal 9. Pharmacy (Clinical) 10. Clinical Imaging 18 CORL Technologies All Rights Reserved

1. Medical Devices* 2. Security/Privacy Top 10 Vendors Types Security Risk Exposure: Impact of Breach Impact = volume of PHI at risk of a breach A breach of a High Impact vendor can cause millions of dollars in breach response costs. *AMCs have 4x more Medical Device vendors than the second highest sector Security/Privacy in Impact of Breach 3. Healthcare Consulting 4. Pharmacy (Clinical) 5. Document Management and Imaging 6. Network Hardware 7. Mobile Device Applications 8. Practice Management Software 9. Clinical Portals / Aggregation Software 10. Clinical Blood & Tissue 19 CORL Technologies All Rights Reserved

Likelihood Impact Security Risk Exposure: Highest Exposure Highest Risk Vendor Groups: Medical Devices Healthcare Consulting Pharmacy (Clinical) 20 CORL Technologies All Rights Reserved

Comparison to Industry: Security Certifications AMC Vendors Security certifications are primary indicators that a company is willing to invest in the protection of sensitive data Slightly worse than industry average, many vendors serving AMC clients do not invest in a security certifications 21 CORL Technologies All Rights Reserved

Comparison to Industry: Security Certifications AMC Vendors POLL! Of the 22% of AMC vendors that do invest in maintaining a Security Certification, the following are favored: 22 CORL Technologies All Rights Reserved

Comparison to Industry: Security Personnel AMC Vendors Having designated security personnel is a key indicator that a vendor prioritizes security by investing in qualified resources AMC vendors are fairing slightly better than industry average with resources designated to security 23 CORL Technologies All Rights Reserved

Comparison to Industry: Privacy AMC Vendors A vendor s Privacy Policy indicates a commitment to the protection of information provided AMC vendors are fairing slightly worse than industry average in prioritizing privacy and its importance in the healthcare industry 24 CORL Technologies All Rights Reserved

Comparison to Industry: Data Breach AMC Vendors Slightly worse than industry average, AMC vendors disclose a higher percentage of data breaches in the past 5 years than overall industry. 25 CORL Technologies All Rights Reserved

Inadequate Security: Control Inadequacies AMC Vendors AMC Vendors tend to have inadequate NIST 800-53 controls in Access Controls, followed by Authentication & Authorization, and System Data Protection 26 CORL Technologies All Rights Reserved

Data Study: Academic Medical Centers & Vendor Security Contents 1. Introduction 2. Unique Challenges for AMC 3. AMC Vendors 4. Security Risk Exposure 5. Assessment of Vendors 6. VSRM Practices Used 7. Looking Forward

Are AMC clients assessing the same vendors? Assessment of Vendors As stated, of the 20,000 vendors supplied to CORL by AMC clients, 23% of vendors are common on vendor lists provided. But 14% of vendors are being assessed by multiple AMC Clients. There is more overlap on the AMC Vendor Lists than are being assessed. 28 CORL Technologies All Rights Reserved

Across the AMC Portfolio: Impact Rating Assessment of Vendors AMC clients are generally assessing vendors that touch a lot of PHI. Most Assessments of vendors categorized as Very High or High Impact. 29 CORL Technologies All Rights Reserved

Across the AMC Portfolio: Impact Rating Assessment of Vendors But there is work to do. Many vendors with known categorization of Very High or High Impact rating are not yet being Assessed. Very High or High Impact vendor rating not yet being Assessed. 30 CORL Technologies All Rights Reserved

AMC Vendors CORL is often assessing Assessment of Vendors Breakdown of Sectors that are assessed the most Vendors That Get Your Attention: These are you high Impact and/or high Likelihood sectors that are being assessed the most on a count base. Good job because these vendors are either considered to touch a lot of PHI, continuously scored poorly on risk assessments, or both. 1. Business Intelligence / Analytics 2. Revenue Cycle & Business Process 3. Mobile Device Applications 4. Practice Management Software 5. Healthcare Consulting 6. Medical Devices 7. EHR Software 8. Patient Engagement Software 9. Security/Privacy 10. Clinical Portals/Aggregation 31 CORL Technologies All Rights Reserved

AMC Vendors CORL is not often assessing Assessment of Vendors Breakdown of Sectors that are NOT being assessed enough: These are your high Impact and/or high Likelihood sectors that are NOT being assessed on a count base. These vendors are either considered to touch a lot of PHI, continuously scored poorly on risk assessments, or both, and should be considered for assessment priority. 1. Legal 2. Mental and Addiction 3. Clinical Blood & Tissue 4. Life Insurance 5. Clinical Social Support 6. Pharmacy (Retail) 7. Dental/Vision 8. Pharmacy (Clinical) 9. Home Health 10. Network Hardware 32 CORL Technologies All Rights Reserved

Data Study: Academic Medical Centers & Vendor Security Contents 1. Introduction 2. Unique Challenges for AMC 3. AMC Vendors 4. Security Risk Exposure 5. Assessment of Vendors 6. VSRM Practices Used 7. Looking Forward

AMC Preferences VSRM Practices Used 01 Preferred Questionnaire Framework 1. CORL NIST-based VSQ 2. NIST & HIPAA CFR 3. NIST with HITRUST 03 Preferred Vendor Certification 1. None/None Noted 2. ISO/IEC 27001 3. SOC 2 Type 2 4. HITRUST 02 GRC Systems 1. ServiceNow 2. Archer 3. None/None Noted Some AMC CORL Clients integrate with their GRC system 04 Contract Terms for Security No consistency Certification requirement (Limited; ISO, SOC 2, SOC 1, PCI, HTIRUST) 34 CORL Technologies All Rights Reserved

Vendor Responsiveness VSRM Practices Used 01 Responsiveness During Vendor Security Questionnaire (VSQ) Required SLA Response Time Min 5 days Max 10 days 02 Responsiveness During Remediation Generally lax requiring remediation. Generally no remediation timelines imposed on vendors. Generally no certifications imposed on vendors. Actual VSQ Return = 20 business days (median) 35 CORL Technologies All Rights Reserved

Vendor Security Risk Management Monitoring VSRM Practices Used AMC clients rely on CORL to monitor vendors for events such as breaches, mergers and acquisitions or major leadership turnover. No vendors to-date are monitored using other cyber risk scoring services. 36 CORL Technologies All Rights Reserved

Data Study: Academic Medical Centers & Vendor Security Contents 1. Introduction 2. Unique Challenges for AMC 3. AMC Vendors 4. Security Risk Exposure 5. Assessment of Vendors 6. VSRM Practices Used 7. Looking Forward

Looking Forward Understand your vendors and focus on risk Set Clear Expectations Enforce Accountability 38 CORL Technologies All Rights Reserved

Set Clear Expectations Looking Forward Contracts should establish clear expectations Vendor responsibility to provide assurance of privacy and security controls Acceptable assurance (e.g., SOC 2 Type II, HITRUST, Types of Evidence) Timeframes for remediation (e.g., critical issues within 7 days) Reporting in the event of an incident (e.g., forensics report, remediation plan) Financial penalties and remuneration for not protecting data. 39 CORL Technologies All Rights Reserved

Needs Attention Looking Forward Focus on the right vendors Emphasize assurance versus information Expand coverage of assessments for all High Risk vendors Demand accountability from vendors Develop a strategy for small vendors Address emerging trends Off-shore vendors Cloud specific focus (e.g., Azure versus AWS) Privacy / use of data 40 CORL Technologies All Rights Reserved

To-Do Looking Forward Board level report to summarize issues Benchmark practices Data to enhance vendor tiering Team with Cyber-risk scoring company to bring threat data and know where exposure exists across vendor portfolio Scoring vendors based on collaboration, transparency, willingness Addressing emerging trends like hosting provider analysis, highrisk geographies, privacy 41 CORL Technologies All Rights Reserved

Question & Answer Period Michelle Allar Quality and Risk Management Manager at Wake Forest Baptist Medical Center MAllar@WakeHealth.edu Jay Stewart Accounts, Markets, & Partners at CORL Technologies Jay.Stewart@CORLtech.com 42

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback