Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing...
Transcript of Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing...
![Page 1: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/1.jpg)
Academic Medical Centers & Vendor Security: Most Comprehensive Study to Date
NCHICA MeetingJune 2018
Michelle Allar, Quality and Risk Management Manager Wake Forest Baptist Medical [email protected]
Jay Stewart, Accounts, Markets, & PartnersCORL Technologies [email protected]
CORL Technologies © All Rights Reserved
![Page 2: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/2.jpg)
Academic Medical Centers & Vendor Security: Most Comprehensive Study to Date
Contents
1. Introduction
2. Unique Challenges for AMC
3. AMC Vendors
4. Security Risk Exposure
5. Assessment of Vendors
6. VSRM Practices Used
7. Looking Forward
2 CORL Technologies © All Rights Reserved
![Page 3: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/3.jpg)
IntroductionCORL Technologies – Jay Stewart
CORL works with Health Plans, Providers, and Academic Medical Center (AMC) organizations ontheir vendor security risk management (VSRM) programs.• Extension of internal AMC organization teams• Insight into AMC organization practices deployed to manage vendors• Data on security practices of vendors providing products and services to AMC organizations
Data study providing insights on the types of vendor security practices deployed by AMCorganizations that are CORL Clients.• Types of vendors that are emerging as the highest threats• Benchmark vendor security risk management practices• Vendor vulnerabilities to focus and prioritize AMC organization vendor security efforts in 2018
3 CORL Technologies © All Rights Reserved
CORL Partnerships
• GRC Solutions• Risk Scoring Companies• Consortiums
Data-based CORL Research & Studies
• Benchmark• Vendor • Industry • Practices
CORL Services
• Global Onsite Audits• Privacy Audits• Staff Augmentation• On Premise Assessments
![Page 4: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/4.jpg)
IntroductionWake Forest Baptist Medical Center – Michelle Allar
Wake Forest Baptist Medical Center is a nationally recognized academic medical center in Winston-Salem, N.C., with an integrated enterprise including educational and research facilities, hospitals, clinics, diagnostic centers, and other primary and specialty care facilities serving 24 counties in northwest North Carolina and southwest Virginia.
Our Winston Salem Campus:• Total Medical Center Workforce 14,000+• Licensed Beds 885• Inpatient Admissions 40,810• Observation Patients 8,883• Emergency Department Outpatient Visits 110,602• Other Outpatient Visits (includes ambulatory visits and outpatient departments) 171,619• Total Research Awards $177.3 million
4 CORL Technologies © All Rights Reserved
![Page 5: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/5.jpg)
Introduction
Wake Forest Baptist Medical Center is a growing health system.
2016• The five-floor, 168,000-square-foot Bowman Gray Center for Medical Education opens in
Wake Forest Innovation Quarter.• The Medical Center purchases Cornerstone Health Care, a practice group with more than
275 providers in approximately 50 locations.
2017• A 50-bed, 78,000-square-foot inpatient wing opens at Wake Forest Baptist Health – Davie
Medical Center, consolidating all of the hospital’s services at the Bermuda Run campus.• On July 1, 2017, the 130-bed Wilkes Regional Medical Center becomes Wake Forest Baptist
Health – Wilkes Medical Center. The 30-year lease agreement with the Wilkes Regional officials and the Town of North Wilkesboro includes expansion of specialty care with improved patient access close to home in the Wilkes County community.
5 CORL Technologies © All Rights Reserved
Wake Forest Baptist Medical Center – Michelle Allar
![Page 6: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/6.jpg)
Data Study:Academic Medical Centers & Vendor Security
Contents
1. Introduction2. Unique Challenges for AMC 3. AMC Vendors4. Security Risk Exposure5. Assessment of Vendors 6. VSRM Practices Used7. Looking Forward
![Page 7: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/7.jpg)
Unique Challenges for AMC
• AMC Complexity:
• Data intensive environment
• Not all procurement through a central department
• In addition to regulatory data challenges – risks to theft of intellectual property
• Users/researchers may not be employees of the AMC
• Exploding growth of data analytics firms offering value for access to data
• Gray line between IRB approved research and for profit analytics
7
Presented by Michelle Allar, Quality and Risk Management Manager at Wake Forest Baptist Medical Center
CORL Technologies © All Rights Reserved
![Page 8: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/8.jpg)
Unique Challenges for AMC
• AMC Vendor Security Risks:
• Non “standard” or hardened systems procured and implemented by Researchers
• Black box systems on the network that are not managed by health system and have
security vulnerabilities
• Inability to track and monitor the flow of information to external entities (especially 4th
party vendors)
• Vendors with no or minimal security capabilities
8
Presented by Michelle Allar, Quality and Risk Management Manager at Wake Forest Baptist Medical Center
CORL Technologies © All Rights Reserved
POLL!
![Page 9: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/9.jpg)
Contents
1. Introduction2. Unique Challenges for AMC 3. AMC Vendors4. Security Risk Exposure5. Assessment of Vendors 6. VSRM Practices Used7. Looking Forward
9
Data Study:Academic Medical Centers & Vendor Security
![Page 10: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/10.jpg)
Overview of DataAMC Vendors in CORL Database
Over 40,000 vendors in CORL database – 20,000 AMC vendors
Practices from ~20 AMC CORL clients
CORL Assessment risk findings and desktop audit results
10 CORL Technologies © All Rights Reserved
![Page 11: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/11.jpg)
Are AMC Organizations
AMC Vendors in CORL Database
Using the Same Vendors?
Of the 20,000 vendors supplied to CORL by AMC clients, 23% of vendors appear on multiple Vendor Lists.
Average AMC vendor list ≈ 2000 vendors
11 CORL Technologies © All Rights Reserved
![Page 12: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/12.jpg)
Vendors Appearing on Several AMC Vendor Lists
AMC Vendors in the CORL Database
12
Some vendors are pervasive and appear on almost every AMC CORL Client
vendor list
• Medical Devices
• Medical Supplies
• Healthcare Consulting
• Healthcare Conglomerates
Of the vendors on multiple vendor lists, the most common products and services contracted are:
CORL Technologies © All Rights Reserved
![Page 13: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/13.jpg)
Types of Vendors
With access to AMC data per CORL Database
13 CORL Technologies © All Rights Reserved
![Page 14: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/14.jpg)
Vendor Portfolio:
AMC Vendors in the CORL Database
AMCs do a lot of business with small business vendors; over half of AMC vendors provided to CORL on Vendor Lists are 50 employees or less.
Size
14 CORL Technologies © All Rights Reserved
POLL!
![Page 15: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/15.jpg)
Vendor Portfolio:
AMC Vendors in the CORL Database
A clear majority of AMC vendors are National, meaning they maintain all physical office locations within the United States of America.
Geographical Scope
15 CORL Technologies © All Rights Reserved
![Page 16: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/16.jpg)
Contents
1. Introduction2. Unique Challenges for AMC3. AMC Vendors4. Security Risk Exposure5. Assessment of Vendors 6. VSRM Practices Used7. Looking Forward
Data Study:Academic Medical Centers & Vendor Security
![Page 17: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/17.jpg)
Across the AMC PortfolioSecurity Risk Exposure
CORL Risk Calculation: • Likelihood – security capabilities of a vendor• Impact – volume of PHI at risk of a breach • Overall Risk of Breach
Likelihood x Impact = Risk
17 CORL Technologies © All Rights Reserved
![Page 18: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/18.jpg)
Security Risk Exposure:
Likelihood = security
capabilities of a vendor
Vendors that provide these types of products and services are more likely to experience a breach.
* AMCs have 3x more Medical Device vendors than the second highest sector Rev Cycle in “Likelihood of Breach”
Likelihood of Breach
Top 10 Vendors Types
18
1. Medical Devices *
2. Revenue Cycle & Business Process
3. Durable Medical Equipment
4. Business Intelligence / Analytics
5. Financial Services
6. Supply Chain Services
7. Healthcare Consulting
8. Legal
9. Pharmacy (Clinical)
10. Clinical Imaging
CORL Technologies © All Rights Reserved
![Page 19: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/19.jpg)
Security Risk Exposure:
Impact = volume of PHI at
risk of a breach
A breach of a High Impact vendor can cause millions of dollars in breach response costs.
*AMCs have 4x more Medical Device
vendors than the second highest
sector Security/Privacy in
“Impact of Breach”
Impact of Breach
Top 10 Vendors Types
19
1. Medical Devices*
2. Security/Privacy
3. Healthcare Consulting
4. Pharmacy (Clinical)
5. Document Management and Imaging
6. Network Hardware
7. Mobile Device Applications
8. Practice Management Software
9. Clinical Portals / Aggregation Software
10. Clinical Blood & Tissue
CORL Technologies © All Rights Reserved
![Page 20: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/20.jpg)
Security Risk Exposure:Highest Risk Vendor Groups:
• Medical Devices
• Healthcare Consulting
• Pharmacy (Clinical)
Highest Exposure
Likelihood Impact
20 CORL Technologies © All Rights Reserved
![Page 21: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/21.jpg)
Comparison to Industry:
AMC Vendors
Security certifications are primary indicators that a company is willing to invest in the protection of sensitive data
Security Certifications
Slightly worse than industry average, many vendors serving AMC clients do not invest in a security certifications
21 CORL Technologies © All Rights Reserved
![Page 22: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/22.jpg)
Comparison to Industry:
AMC VendorsOf the 22% of AMC vendors that do invest in maintaining a Security Certification, the following are favored:
Security Certifications
22 CORL Technologies © All Rights Reserved
POLL!
![Page 23: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/23.jpg)
Comparison to Industry:
AMC Vendors
Having designated security personnel is a key indicator that a vendor prioritizes security by investing in qualified resources
Security Personnel
AMC vendors are fairing slightly better than industry average with resources designated to security
23 CORL Technologies © All Rights Reserved
![Page 24: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/24.jpg)
Comparison to Industry:
AMC Vendors
A vendor’s Privacy Policy indicates a commitment to the protection of information provided
Privacy
AMC vendors are fairing slightly worse than industry average in prioritizing privacy and its importance in the healthcare industry
24 CORL Technologies © All Rights Reserved
![Page 25: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/25.jpg)
Comparison to Industry:
AMC Vendors
Slightly worse than industry average, AMC vendors disclose a higher percentage of data breaches in the past 5 years than overall industry.
Data Breach
25 CORL Technologies © All Rights Reserved
![Page 26: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/26.jpg)
Inadequate Security:
AMC Vendors
AMC Vendors tend to have inadequate NIST 800-53 controls in Access Controls, followed by Authentication & Authorization, and System Data Protection
Control Inadequacies
26 CORL Technologies © All Rights Reserved
![Page 27: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/27.jpg)
Contents
1. Introduction2. Unique Challenges for AMC3. AMC Vendors4. Security Risk Exposure5. Assessment of Vendors 6. VSRM Practices Used7. Looking Forward
Data Study:Academic Medical Centers & Vendor Security
![Page 28: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/28.jpg)
Are AMC clients assessing
As stated, of the 20,000 vendors supplied to CORL by AMC clients, 23% of vendors are common on vendor lists provided.
But 14% of vendors are being assessed by multiple AMC Clients. There is more overlap on the AMC Vendor Lists than are being assessed.
the same vendors?Assessment of Vendors
28 CORL Technologies © All Rights Reserved
![Page 29: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/29.jpg)
Across the AMC Portfolio:
Assessment of Vendors
Impact Rating AMC clients are generally assessing vendors that
touch a lot of PHI.
Most Assessments of vendors categorized as “Very
High” or “High” Impact.
29 CORL Technologies © All Rights Reserved
![Page 30: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/30.jpg)
Across the AMC Portfolio:
Assessment of Vendors
Impact Rating But there is work to do.
Many vendors with known categorization of “Very
High” or “High” Impact rating are not yet being
Assessed.
30 CORL Technologies © All Rights Reserved
“Very High” or “High” Impact vendor rating not yet being Assessed.
![Page 31: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/31.jpg)
AMC Vendors CORLis often assessingAssessment of Vendors
31
1. Business Intelligence / Analytics
2. Revenue Cycle & Business Process
3. Mobile Device Applications
4. Practice Management Software
5. Healthcare Consulting
6. Medical Devices
7. EHR Software
8. Patient Engagement Software
9. Security/Privacy
10. Clinical Portals/Aggregation
Breakdown of Sectors that are assessed the most – Vendors That Get Your Attention:
• These are you high Impact and/or high Likelihood sectors that are being assessed the most on a count base.
• Good job because these vendors are either considered to touch a lot of PHI, continuously scored poorly on risk assessments, or both.
CORL Technologies © All Rights Reserved
![Page 32: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/32.jpg)
AMC Vendors CORL is not often assessingAssessment of Vendors
32
1. Legal
2. Mental and Addiction
3. Clinical Blood & Tissue
4. Life Insurance
5. Clinical Social Support
6. Pharmacy (Retail)
7. Dental/Vision
8. Pharmacy (Clinical)
9. Home Health
10. Network Hardware
Breakdown of Sectors that are NOT being assessed enough:
• These are your high Impact and/or high Likelihood sectors that are NOT being assessed on a count base.
• These vendors are either considered to touch a lot of PHI, continuously scored poorly on risk assessments, or both, and should be considered for assessment priority.
CORL Technologies © All Rights Reserved
![Page 33: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/33.jpg)
Contents
1. Introduction2. Unique Challenges for AMC3. AMC Vendors4. Security Risk Exposure5. Assessment of Vendors 6. VSRM Practices Used7. Looking Forward
Data Study:Academic Medical Centers & Vendor Security
![Page 34: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/34.jpg)
AMC Preferences VSRM Practices Used
01 Preferred Questionnaire Framework
1. CORL NIST-based VSQ2. NIST & HIPAA CFR3. NIST with HITRUST
02 GRC Systems
1. ServiceNow2. Archer3. None/None NotedSome AMC CORL Clients integrate with their GRC system
03 Preferred Vendor Certification
1. None/None Noted2. ISO/IEC 270013. SOC 2 Type 24. HITRUST
04 Contract Terms for Security
34
• No consistency• Certification requirement
(Limited; ISO, SOC 2, SOC 1, PCI, HTIRUST)
CORL Technologies © All Rights Reserved
![Page 35: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/35.jpg)
Vendor Responsiveness
01 Responsiveness During Vendor Security Questionnaire (VSQ)
Required SLA Response Time • Min – 5 days• Max – 10 days
• Actual VSQ Return = 20 business days (median)
02 Responsiveness During Remediation
• Generally lax requiring remediation. • Generally no remediation timelines
imposed on vendors. • Generally no certifications imposed
on vendors.
35 CORL Technologies © All Rights Reserved
VSRM Practices Used
![Page 36: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/36.jpg)
Vendor Security Risk Management – Monitoring
AMC clients rely on CORL to monitor vendors for
events such as breaches, mergers and acquisitions
or major leadership turnover.
No vendors to-date are monitored using
other cyber risk scoring services.
36 CORL Technologies © All Rights Reserved
VSRM Practices Used
![Page 37: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/37.jpg)
Contents
1. Introduction2. Unique Challenges for AMC3. AMC Vendors4. Security Risk Exposure5. Assessment of Vendors 6. VSRM Practices Used7. Looking Forward
Data Study:Academic Medical Centers & Vendor Security
![Page 38: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/38.jpg)
Looking
Forward
Understand your vendors and focus on risk
Set Clear Expectations
Enforce Accountability
38 CORL Technologies © All Rights Reserved
![Page 39: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/39.jpg)
Set Clear ExpectationsLooking Forward
Contracts should establish clear expectations
• Vendor responsibility to provide assurance of privacy and security controls
• Acceptable assurance (e.g., SOC 2 Type II, HITRUST, Types of Evidence)
• Timeframes for remediation (e.g., critical issues within 7 days)
• Reporting in the event of an incident (e.g., forensics report, remediation plan)
• Financial penalties and remuneration for not protecting data.
39 CORL Technologies © All Rights Reserved
![Page 40: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/40.jpg)
• Focus on the right vendors
• Emphasize assurance versus information
• Expand coverage of assessments for all High Risk vendors
• Demand accountability from vendors
• Develop a strategy for small vendors
• Address emerging trends
• Off-shore vendors
• Cloud specific focus (e.g., Azure versus AWS)
• Privacy / use of data
Needs AttentionLooking Forward
40 CORL Technologies © All Rights Reserved
![Page 41: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/41.jpg)
• Board level report to summarize issues
• Benchmark practices
• Data to enhance vendor tiering
• Team with Cyber-risk scoring company to bring threat data and
know where exposure exists across vendor portfolio
• Scoring vendors based on collaboration, transparency, willingness
• Addressing emerging trends like hosting provider analysis, high-
risk geographies, privacy
To-DoLooking Forward
41 CORL Technologies © All Rights Reserved
![Page 42: Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing insights on the types of vendor security practices deployed by AMC organizations that](https://reader034.fdocuments.us/reader034/viewer/2022050608/5faf869c3b6b8210ec0996f1/html5/thumbnails/42.jpg)
Question & Answer Period
Jay StewartAccounts, Markets, & Partners at CORL Technologies [email protected]
Michelle AllarQuality and Risk Management Manager at Wake Forest Baptist Medical [email protected]
42