Academic Medical Centers & Vendor Security: Most Comprehensive Study to Date NCHICA Meeting June 2018 Michelle Allar, Quality and Risk Management Manager Wake Forest Baptist Medical Center MAllar@WakeHealth.edu Jay Stewart, Accounts, Markets, & Partners CORL Technologies Jay.Stewart@CORLtech.com CORL Technologies All Rights Reserved
Academic Medical Centers & Vendor Security: Most Comprehensive Study to Date Contents 1. Introduction 2. Unique Challenges for AMC 3. AMC Vendors 4. Security Risk Exposure 5. Assessment of Vendors 6. VSRM Practices Used 7. Looking Forward 2 CORL Technologies All Rights Reserved
Introduction CORL Technologies Jay Stewart CORL works with Health Plans, Providers, and Academic Medical Center (AMC) organizations on their vendor security risk management (VSRM) programs. Extension of internal AMC organization teams Insight into AMC organization practices deployed to manage vendors Data on security practices of vendors providing products and services to AMC organizations Data study providing insights on the types of vendor security practices deployed by AMC organizations that are CORL Clients. Types of vendors that are emerging as the highest threats Benchmark vendor security risk management practices Vendor vulnerabilities to focus and prioritize AMC organization vendor security efforts in 2018 CORL Partnerships GRC Solutions Risk Scoring Companies Consortiums CORL Services Global Onsite Audits Privacy Audits Staff Augmentation On Premise Assessments Data-based CORL Research & Studies Benchmark Vendor Industry Practices 3 CORL Technologies All Rights Reserved
Introduction Wake Forest Baptist Medical Center Michelle Allar Wake Forest Baptist Medical Center is a nationally recognized academic medical center in Winston-Salem, N.C., with an integrated enterprise including educational and research facilities, hospitals, clinics, diagnostic centers, and other primary and specialty care facilities serving 24 counties in northwest North Carolina and southwest Virginia. Our Winston Salem Campus: Total Medical Center Workforce 14,000+ Licensed Beds 885 Inpatient Admissions 40,810 Observation Patients 8,883 Emergency Department Outpatient Visits 110,602 Other Outpatient Visits (includes ambulatory visits and outpatient departments) 171,619 Total Research Awards $177.3 million 4 CORL Technologies All Rights Reserved
Introduction Wake Forest Baptist Medical Center Michelle Allar Wake Forest Baptist Medical Center is a growing health system. 2016 The five-floor, 168,000-square-foot Bowman Gray Center for Medical Education opens in Wake Forest Innovation Quarter. The Medical Center purchases Cornerstone Health Care, a practice group with more than 275 providers in approximately 50 locations. 2017 A 50-bed, 78,000-square-foot inpatient wing opens at Wake Forest Baptist Health Davie Medical Center, consolidating all of the hospital s services at the Bermuda Run campus. On July 1, 2017, the 130-bed Wilkes Regional Medical Center becomes Wake Forest Baptist Health Wilkes Medical Center. The 30-year lease agreement with the Wilkes Regional officials and the Town of North Wilkesboro includes expansion of specialty care with improved patient access close to home in the Wilkes County community. 5 CORL Technologies All Rights Reserved
Data Study: Academic Medical Centers & Vendor Security Contents 1. Introduction 2. Unique Challenges for AMC 3. AMC Vendors 4. Security Risk Exposure 5. Assessment of Vendors 6. VSRM Practices Used 7. Looking Forward
Unique Challenges for AMC Presented by Michelle Allar, Quality and Risk Management Manager at Wake Forest Baptist Medical Center AMC Complexity: Data intensive environment Not all procurement through a central department In addition to regulatory data challenges risks to theft of intellectual property Users/researchers may not be employees of the AMC Exploding growth of data analytics firms offering value for access to data Gray line between IRB approved research and for profit analytics 7 CORL Technologies All Rights Reserved
Unique Challenges for AMC Presented by Michelle Allar, Quality and Risk Management Manager at Wake Forest Baptist Medical Center AMC Vendor Security Risks: Non standard or hardened systems procured and implemented by Researchers Black box systems on the network that are not managed by health system and have security vulnerabilities Inability to track and monitor the flow of information to external entities (especially 4th party vendors) Vendors with no or minimal security capabilities POLL! 8 CORL Technologies All Rights Reserved
Data Study: Academic Medical Centers & Vendor Security Contents 1. Introduction 2. Unique Challenges for AMC 3. AMC Vendors 4. Security Risk Exposure 5. Assessment of Vendors 6. VSRM Practices Used 7. Looking Forward 9
Overview of Data AMC Vendors in CORL Database Over 40,000 vendors in CORL database 20,000 AMC vendors CORL Assessment risk findings and desktop audit results Practices from ~20 AMC CORL clients 10 CORL Technologies All Rights Reserved
Are AMC Organizations Using the Same Vendors? AMC Vendors in CORL Database Of the 20,000 vendors supplied to CORL by AMC clients, 23% of vendors appear on multiple Vendor Lists. Average AMC vendor list 2000 vendors 11 CORL Technologies All Rights Reserved
Vendors Appearing on Several AMC Vendor Lists AMC Vendors in the CORL Database Some vendors are pervasive and appear on almost every AMC CORL Client vendor list Of the vendors on multiple vendor lists, the most common products and services contracted are: Medical Devices Medical Supplies Healthcare Consulting Healthcare Conglomerates 12 CORL Technologies All Rights Reserved
Types of Vendors With access to AMC data per CORL Database 13 CORL Technologies All Rights Reserved
Vendor Portfolio: Size AMC Vendors in the CORL Database AMCs do a lot of business with small business vendors; over half of AMC vendors provided to CORL on Vendor Lists are 50 employees or less. POLL! 14 CORL Technologies All Rights Reserved
Vendor Portfolio: Geographical Scope AMC Vendors in the CORL Database A clear majority of AMC vendors are National, meaning they maintain all physical office locations within the United States of America. 15 CORL Technologies All Rights Reserved
Data Study: Academic Medical Centers & Vendor Security Contents 1. Introduction 2. Unique Challenges for AMC 3. AMC Vendors 4. Security Risk Exposure 5. Assessment of Vendors 6. VSRM Practices Used 7. Looking Forward
Across the AMC Portfolio Security Risk Exposure CORL Risk Calculation: Likelihood security capabilities of a vendor Impact volume of PHI at risk of a breach Overall Risk of Breach Likelihood x Impact = Risk 17 CORL Technologies All Rights Reserved
1. Medical Devices * Top 10 Vendors Types 2. Revenue Cycle & Business Process Security Risk Exposure: Likelihood of Breach Likelihood = security capabilities of a vendor Vendors that provide these types of products and services are more likely to experience a breach. * AMCs have 3x more Medical Device vendors than the second highest sector Rev Cycle in Likelihood of Breach 3. Durable Medical Equipment 4. Business Intelligence / Analytics 5. Financial Services 6. Supply Chain Services 7. Healthcare Consulting 8. Legal 9. Pharmacy (Clinical) 10. Clinical Imaging 18 CORL Technologies All Rights Reserved
1. Medical Devices* 2. Security/Privacy Top 10 Vendors Types Security Risk Exposure: Impact of Breach Impact = volume of PHI at risk of a breach A breach of a High Impact vendor can cause millions of dollars in breach response costs. *AMCs have 4x more Medical Device vendors than the second highest sector Security/Privacy in Impact of Breach 3. Healthcare Consulting 4. Pharmacy (Clinical) 5. Document Management and Imaging 6. Network Hardware 7. Mobile Device Applications 8. Practice Management Software 9. Clinical Portals / Aggregation Software 10. Clinical Blood & Tissue 19 CORL Technologies All Rights Reserved
Likelihood Impact Security Risk Exposure: Highest Exposure Highest Risk Vendor Groups: Medical Devices Healthcare Consulting Pharmacy (Clinical) 20 CORL Technologies All Rights Reserved
Comparison to Industry: Security Certifications AMC Vendors Security certifications are primary indicators that a company is willing to invest in the protection of sensitive data Slightly worse than industry average, many vendors serving AMC clients do not invest in a security certifications 21 CORL Technologies All Rights Reserved
Comparison to Industry: Security Certifications AMC Vendors POLL! Of the 22% of AMC vendors that do invest in maintaining a Security Certification, the following are favored: 22 CORL Technologies All Rights Reserved
Comparison to Industry: Security Personnel AMC Vendors Having designated security personnel is a key indicator that a vendor prioritizes security by investing in qualified resources AMC vendors are fairing slightly better than industry average with resources designated to security 23 CORL Technologies All Rights Reserved
Comparison to Industry: Privacy AMC Vendors A vendor s Privacy Policy indicates a commitment to the protection of information provided AMC vendors are fairing slightly worse than industry average in prioritizing privacy and its importance in the healthcare industry 24 CORL Technologies All Rights Reserved
Comparison to Industry: Data Breach AMC Vendors Slightly worse than industry average, AMC vendors disclose a higher percentage of data breaches in the past 5 years than overall industry. 25 CORL Technologies All Rights Reserved
Inadequate Security: Control Inadequacies AMC Vendors AMC Vendors tend to have inadequate NIST 800-53 controls in Access Controls, followed by Authentication & Authorization, and System Data Protection 26 CORL Technologies All Rights Reserved
Data Study: Academic Medical Centers & Vendor Security Contents 1. Introduction 2. Unique Challenges for AMC 3. AMC Vendors 4. Security Risk Exposure 5. Assessment of Vendors 6. VSRM Practices Used 7. Looking Forward
Are AMC clients assessing the same vendors? Assessment of Vendors As stated, of the 20,000 vendors supplied to CORL by AMC clients, 23% of vendors are common on vendor lists provided. But 14% of vendors are being assessed by multiple AMC Clients. There is more overlap on the AMC Vendor Lists than are being assessed. 28 CORL Technologies All Rights Reserved
Across the AMC Portfolio: Impact Rating Assessment of Vendors AMC clients are generally assessing vendors that touch a lot of PHI. Most Assessments of vendors categorized as Very High or High Impact. 29 CORL Technologies All Rights Reserved
Across the AMC Portfolio: Impact Rating Assessment of Vendors But there is work to do. Many vendors with known categorization of Very High or High Impact rating are not yet being Assessed. Very High or High Impact vendor rating not yet being Assessed. 30 CORL Technologies All Rights Reserved
AMC Vendors CORL is often assessing Assessment of Vendors Breakdown of Sectors that are assessed the most Vendors That Get Your Attention: These are you high Impact and/or high Likelihood sectors that are being assessed the most on a count base. Good job because these vendors are either considered to touch a lot of PHI, continuously scored poorly on risk assessments, or both. 1. Business Intelligence / Analytics 2. Revenue Cycle & Business Process 3. Mobile Device Applications 4. Practice Management Software 5. Healthcare Consulting 6. Medical Devices 7. EHR Software 8. Patient Engagement Software 9. Security/Privacy 10. Clinical Portals/Aggregation 31 CORL Technologies All Rights Reserved
AMC Vendors CORL is not often assessing Assessment of Vendors Breakdown of Sectors that are NOT being assessed enough: These are your high Impact and/or high Likelihood sectors that are NOT being assessed on a count base. These vendors are either considered to touch a lot of PHI, continuously scored poorly on risk assessments, or both, and should be considered for assessment priority. 1. Legal 2. Mental and Addiction 3. Clinical Blood & Tissue 4. Life Insurance 5. Clinical Social Support 6. Pharmacy (Retail) 7. Dental/Vision 8. Pharmacy (Clinical) 9. Home Health 10. Network Hardware 32 CORL Technologies All Rights Reserved
Data Study: Academic Medical Centers & Vendor Security Contents 1. Introduction 2. Unique Challenges for AMC 3. AMC Vendors 4. Security Risk Exposure 5. Assessment of Vendors 6. VSRM Practices Used 7. Looking Forward
AMC Preferences VSRM Practices Used 01 Preferred Questionnaire Framework 1. CORL NIST-based VSQ 2. NIST & HIPAA CFR 3. NIST with HITRUST 03 Preferred Vendor Certification 1. None/None Noted 2. ISO/IEC 27001 3. SOC 2 Type 2 4. HITRUST 02 GRC Systems 1. ServiceNow 2. Archer 3. None/None Noted Some AMC CORL Clients integrate with their GRC system 04 Contract Terms for Security No consistency Certification requirement (Limited; ISO, SOC 2, SOC 1, PCI, HTIRUST) 34 CORL Technologies All Rights Reserved
Vendor Responsiveness VSRM Practices Used 01 Responsiveness During Vendor Security Questionnaire (VSQ) Required SLA Response Time Min 5 days Max 10 days 02 Responsiveness During Remediation Generally lax requiring remediation. Generally no remediation timelines imposed on vendors. Generally no certifications imposed on vendors. Actual VSQ Return = 20 business days (median) 35 CORL Technologies All Rights Reserved
Vendor Security Risk Management Monitoring VSRM Practices Used AMC clients rely on CORL to monitor vendors for events such as breaches, mergers and acquisitions or major leadership turnover. No vendors to-date are monitored using other cyber risk scoring services. 36 CORL Technologies All Rights Reserved
Data Study: Academic Medical Centers & Vendor Security Contents 1. Introduction 2. Unique Challenges for AMC 3. AMC Vendors 4. Security Risk Exposure 5. Assessment of Vendors 6. VSRM Practices Used 7. Looking Forward
Looking Forward Understand your vendors and focus on risk Set Clear Expectations Enforce Accountability 38 CORL Technologies All Rights Reserved
Set Clear Expectations Looking Forward Contracts should establish clear expectations Vendor responsibility to provide assurance of privacy and security controls Acceptable assurance (e.g., SOC 2 Type II, HITRUST, Types of Evidence) Timeframes for remediation (e.g., critical issues within 7 days) Reporting in the event of an incident (e.g., forensics report, remediation plan) Financial penalties and remuneration for not protecting data. 39 CORL Technologies All Rights Reserved
Needs Attention Looking Forward Focus on the right vendors Emphasize assurance versus information Expand coverage of assessments for all High Risk vendors Demand accountability from vendors Develop a strategy for small vendors Address emerging trends Off-shore vendors Cloud specific focus (e.g., Azure versus AWS) Privacy / use of data 40 CORL Technologies All Rights Reserved
To-Do Looking Forward Board level report to summarize issues Benchmark practices Data to enhance vendor tiering Team with Cyber-risk scoring company to bring threat data and know where exposure exists across vendor portfolio Scoring vendors based on collaboration, transparency, willingness Addressing emerging trends like hosting provider analysis, highrisk geographies, privacy 41 CORL Technologies All Rights Reserved
Question & Answer Period Michelle Allar Quality and Risk Management Manager at Wake Forest Baptist Medical Center MAllar@WakeHealth.edu Jay Stewart Accounts, Markets, & Partners at CORL Technologies Jay.Stewart@CORLtech.com 42