Data breaches are at an all-time high in all sectors, especially healthcare with its private data warehouse.
Many bad guys are infiltrating the network through third-party entities. Healthcare delivery organizations are especially vulnerable because they possess large amounts of sensitive and valuable data – and because third-party providers have become so important to them. with healthcare infrastructure.
Risk management of this type poses a particular challenge, and it is important for security leaders to understand how to properly select and test third-party vendors.
An experienced CISO
Steven Ramirez is director of information security at Renown Health and one of three panelists during an educational session themed “Prioritizing Third-Party Risk Management” at HIMSS Healthcare Cybersecurity Forum, December 5-6 in Boston. As CISO for a health system, Ramirez knows a lot about third-party risks.
For example, he knows why so many bad guys get into healthcare information networks through third-party providers.
“Control and minimize access to fit the Zero Trust model.”
Steven Ramirez, Well-known Health
“For the cost savings and reduced footprint of healthcare organizations’ on-premises infrastructure, and as a result of the move to cloud-based and SaaS solutions as part of the transition, With digital transformation, healthcare organizations are now more vulnerable to all of the security measures of these postural providers,” explains Ramirez.
He continued: “The main reason is that the providers did not manage or monitor access properly. “Additionally, these third-party vendors also outsource components of their programs to other entities, essentially creating a risk for the fourth-party. This only wides the attack surface. overall and makes monitoring more difficult.”
Three-pronged security strategy
What can healthcare providers do to prevent or at least reduce bad actors from entering through third-party providers? It’s a three-pronged strategy, Ramirez said.
“There needs to be a balance between people, process and technology,” he said. “Checking vendor access, monitoring, and putting in place protections to minimize access and capacity are key. The focus should be on using PAM to the bare minimum necessary. Beyond that. In fact, early detection is the key to successful identification of anomalies.”
CISOs and other healthcare security leaders when purchasing a supplier must know how to minimize their risk.
“There is a process in place to review vendor access and ensure we use targeted tools and access to minimize access and ensure that we monitor,” Ramirez said. that access, it’s a must.”
Best practices for risk management
He gives several examples of best practices for third-party risk management.
“Vendor discovery – understand what your suppliers are doing for you and what access they need,” he explains. “Require vendors to complete a security assessment. Rank the vendors with the highest risk.
Control and minimize access to fit the Zero Trust model.
“And continuously monitor and evaluate your key suppliers,” he concludes.
The HIMSS 2022 Healthcare Cybersecurity Forum takes place on December 5 and 6 at the Renaissance Boston Waterfront Hotel. Register here.
Twitter: @SiwickiHealthIT
Email the writer: [email protected]
Healthcare IT News is a publication of HIMSS Media.
