Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing...

Academic Medical Centers & Vendor Security: Most Comprehensive Study to Date

NCHICA MeetingJune 2018

Michelle Allar, Quality and Risk Management Manager Wake Forest Baptist Medical [email protected]

Jay Stewart, Accounts, Markets, & PartnersCORL Technologies [email protected]

CORL Technologies © All Rights Reserved

Academic Medical Centers & Vendor Security: Most Comprehensive Study to Date

Contents

1. Introduction

2. Unique Challenges for AMC

3. AMC Vendors

4. Security Risk Exposure

5. Assessment of Vendors

6. VSRM Practices Used

7. Looking Forward

2 CORL Technologies © All Rights Reserved

IntroductionCORL Technologies – Jay Stewart

CORL works with Health Plans, Providers, and Academic Medical Center (AMC) organizations ontheir vendor security risk management (VSRM) programs.• Extension of internal AMC organization teams• Insight into AMC organization practices deployed to manage vendors• Data on security practices of vendors providing products and services to AMC organizations

Data study providing insights on the types of vendor security practices deployed by AMCorganizations that are CORL Clients.• Types of vendors that are emerging as the highest threats• Benchmark vendor security risk management practices• Vendor vulnerabilities to focus and prioritize AMC organization vendor security efforts in 2018


CORL Partnerships

• GRC Solutions• Risk Scoring Companies• Consortiums

Data-based CORL Research & Studies

• Benchmark• Vendor • Industry • Practices

CORL Services

• Global Onsite Audits• Privacy Audits• Staff Augmentation• On Premise Assessments

IntroductionWake Forest Baptist Medical Center – Michelle Allar

Wake Forest Baptist Medical Center is a nationally recognized academic medical center in Winston-Salem, N.C., with an integrated enterprise including educational and research facilities, hospitals, clinics, diagnostic centers, and other primary and specialty care facilities serving 24 counties in northwest North Carolina and southwest Virginia.

Our Winston Salem Campus:• Total Medical Center Workforce 14,000+• Licensed Beds 885• Inpatient Admissions 40,810• Observation Patients 8,883• Emergency Department Outpatient Visits 110,602• Other Outpatient Visits (includes ambulatory visits and outpatient departments) 171,619• Total Research Awards $177.3 million


Introduction

Wake Forest Baptist Medical Center is a growing health system.

2016• The five-floor, 168,000-square-foot Bowman Gray Center for Medical Education opens in

Wake Forest Innovation Quarter.• The Medical Center purchases Cornerstone Health Care, a practice group with more than

275 providers in approximately 50 locations.

2017• A 50-bed, 78,000-square-foot inpatient wing opens at Wake Forest Baptist Health – Davie

Medical Center, consolidating all of the hospital’s services at the Bermuda Run campus.• On July 1, 2017, the 130-bed Wilkes Regional Medical Center becomes Wake Forest Baptist

Health – Wilkes Medical Center. The 30-year lease agreement with the Wilkes Regional officials and the Town of North Wilkesboro includes expansion of specialty care with improved patient access close to home in the Wilkes County community.


Wake Forest Baptist Medical Center – Michelle Allar

Data Study:Academic Medical Centers & Vendor Security

Contents

1. Introduction2. Unique Challenges for AMC 3. AMC Vendors4. Security Risk Exposure5. Assessment of Vendors 6. VSRM Practices Used7. Looking Forward

Unique Challenges for AMC

• AMC Complexity:

• Data intensive environment

• Not all procurement through a central department

• In addition to regulatory data challenges – risks to theft of intellectual property

• Users/researchers may not be employees of the AMC

• Exploding growth of data analytics firms offering value for access to data

• Gray line between IRB approved research and for profit analytics

7

Presented by Michelle Allar, Quality and Risk Management Manager at Wake Forest Baptist Medical Center


Unique Challenges for AMC

• AMC Vendor Security Risks:

• Non “standard” or hardened systems procured and implemented by Researchers

• Black box systems on the network that are not managed by health system and have

security vulnerabilities

• Inability to track and monitor the flow of information to external entities (especially 4th

party vendors)

• Vendors with no or minimal security capabilities

8

Presented by Michelle Allar, Quality and Risk Management Manager at Wake Forest Baptist Medical Center


POLL!

Contents

1. Introduction2. Unique Challenges for AMC 3. AMC Vendors4. Security Risk Exposure5. Assessment of Vendors 6. VSRM Practices Used7. Looking Forward

9


Overview of DataAMC Vendors in CORL Database

Over 40,000 vendors in CORL database – 20,000 AMC vendors

Practices from ~20 AMC CORL clients

CORL Assessment risk findings and desktop audit results


Are AMC Organizations

AMC Vendors in CORL Database

Using the Same Vendors?

Of the 20,000 vendors supplied to CORL by AMC clients, 23% of vendors appear on multiple Vendor Lists.

Average AMC vendor list ≈ 2000 vendors


Vendors Appearing on Several AMC Vendor Lists

AMC Vendors in the CORL Database

12

Some vendors are pervasive and appear on almost every AMC CORL Client

vendor list

• Medical Devices

• Medical Supplies

• Healthcare Consulting

• Healthcare Conglomerates

Of the vendors on multiple vendor lists, the most common products and services contracted are:


Types of Vendors

With access to AMC data per CORL Database


Vendor Portfolio:


AMCs do a lot of business with small business vendors; over half of AMC vendors provided to CORL on Vendor Lists are 50 employees or less.

Size


POLL!

Vendor Portfolio:


A clear majority of AMC vendors are National, meaning they maintain all physical office locations within the United States of America.

Geographical Scope


Contents

1. Introduction2. Unique Challenges for AMC3. AMC Vendors4. Security Risk Exposure5. Assessment of Vendors 6. VSRM Practices Used7. Looking Forward


Across the AMC PortfolioSecurity Risk Exposure

CORL Risk Calculation: • Likelihood – security capabilities of a vendor• Impact – volume of PHI at risk of a breach • Overall Risk of Breach

Likelihood x Impact = Risk


Security Risk Exposure:

Likelihood = security

capabilities of a vendor

Vendors that provide these types of products and services are more likely to experience a breach.

* AMCs have 3x more Medical Device vendors than the second highest sector Rev Cycle in “Likelihood of Breach”

Likelihood of Breach

Top 10 Vendors Types

18

1. Medical Devices *

2. Revenue Cycle & Business Process

3. Durable Medical Equipment

4. Business Intelligence / Analytics

5. Financial Services

6. Supply Chain Services

7. Healthcare Consulting

8. Legal

9. Pharmacy (Clinical)

10. Clinical Imaging


Security Risk Exposure:

Impact = volume of PHI at

risk of a breach

A breach of a High Impact vendor can cause millions of dollars in breach response costs.

*AMCs have 4x more Medical Device

vendors than the second highest

sector Security/Privacy in

“Impact of Breach”

Impact of Breach

Top 10 Vendors Types

19

1. Medical Devices*

2. Security/Privacy



5. Document Management and Imaging

6. Network Hardware

7. Mobile Device Applications

8. Practice Management Software

9. Clinical Portals / Aggregation Software

10. Clinical Blood & Tissue


Security Risk Exposure:Highest Risk Vendor Groups:

• Medical Devices

• Healthcare Consulting

• Pharmacy (Clinical)

Highest Exposure

Likelihood Impact


Comparison to Industry:

AMC Vendors

Security certifications are primary indicators that a company is willing to invest in the protection of sensitive data

Security Certifications

Slightly worse than industry average, many vendors serving AMC clients do not invest in a security certifications



AMC VendorsOf the 22% of AMC vendors that do invest in maintaining a Security Certification, the following are favored:

Security Certifications


POLL!


AMC Vendors

Having designated security personnel is a key indicator that a vendor prioritizes security by investing in qualified resources

Security Personnel

AMC vendors are fairing slightly better than industry average with resources designated to security



AMC Vendors

A vendor’s Privacy Policy indicates a commitment to the protection of information provided

Privacy

AMC vendors are fairing slightly worse than industry average in prioritizing privacy and its importance in the healthcare industry



AMC Vendors

Slightly worse than industry average, AMC vendors disclose a higher percentage of data breaches in the past 5 years than overall industry.

Data Breach


Inadequate Security:

AMC Vendors

AMC Vendors tend to have inadequate NIST 800-53 controls in Access Controls, followed by Authentication & Authorization, and System Data Protection

Control Inadequacies


Contents



Are AMC clients assessing

As stated, of the 20,000 vendors supplied to CORL by AMC clients, 23% of vendors are common on vendor lists provided.

But 14% of vendors are being assessed by multiple AMC Clients. There is more overlap on the AMC Vendor Lists than are being assessed.

the same vendors?Assessment of Vendors


Across the AMC Portfolio:

Assessment of Vendors

Impact Rating AMC clients are generally assessing vendors that

touch a lot of PHI.

Most Assessments of vendors categorized as “Very

High” or “High” Impact.


Across the AMC Portfolio:

Assessment of Vendors

Impact Rating But there is work to do.

Many vendors with known categorization of “Very

High” or “High” Impact rating are not yet being

Assessed.


“Very High” or “High” Impact vendor rating not yet being Assessed.

AMC Vendors CORLis often assessingAssessment of Vendors

31

1. Business Intelligence / Analytics

2. Revenue Cycle & Business Process

3. Mobile Device Applications

4. Practice Management Software


6. Medical Devices

7. EHR Software

8. Patient Engagement Software

9. Security/Privacy

10. Clinical Portals/Aggregation

Breakdown of Sectors that are assessed the most – Vendors That Get Your Attention:

• These are you high Impact and/or high Likelihood sectors that are being assessed the most on a count base.

• Good job because these vendors are either considered to touch a lot of PHI, continuously scored poorly on risk assessments, or both.


AMC Vendors CORL is not often assessingAssessment of Vendors

32

1. Legal

2. Mental and Addiction

3. Clinical Blood & Tissue

4. Life Insurance

5. Clinical Social Support

6. Pharmacy (Retail)

7. Dental/Vision


9. Home Health

10. Network Hardware

Breakdown of Sectors that are NOT being assessed enough:

• These are your high Impact and/or high Likelihood sectors that are NOT being assessed on a count base.

• These vendors are either considered to touch a lot of PHI, continuously scored poorly on risk assessments, or both, and should be considered for assessment priority.


Contents



AMC Preferences VSRM Practices Used

01 Preferred Questionnaire Framework

1. CORL NIST-based VSQ2. NIST & HIPAA CFR3. NIST with HITRUST

02 GRC Systems

1. ServiceNow2. Archer3. None/None NotedSome AMC CORL Clients integrate with their GRC system

03 Preferred Vendor Certification

1. None/None Noted2. ISO/IEC 270013. SOC 2 Type 24. HITRUST

04 Contract Terms for Security

34

• No consistency• Certification requirement

(Limited; ISO, SOC 2, SOC 1, PCI, HTIRUST)


Vendor Responsiveness

01 Responsiveness During Vendor Security Questionnaire (VSQ)

Required SLA Response Time • Min – 5 days• Max – 10 days

• Actual VSQ Return = 20 business days (median)

02 Responsiveness During Remediation

• Generally lax requiring remediation. • Generally no remediation timelines

imposed on vendors. • Generally no certifications imposed

on vendors.


VSRM Practices Used

Vendor Security Risk Management – Monitoring

AMC clients rely on CORL to monitor vendors for

events such as breaches, mergers and acquisitions

or major leadership turnover.

No vendors to-date are monitored using

other cyber risk scoring services.


VSRM Practices Used

Contents



Looking

Forward

Understand your vendors and focus on risk

Set Clear Expectations

Enforce Accountability


Set Clear ExpectationsLooking Forward

Contracts should establish clear expectations

• Vendor responsibility to provide assurance of privacy and security controls

• Acceptable assurance (e.g., SOC 2 Type II, HITRUST, Types of Evidence)

• Timeframes for remediation (e.g., critical issues within 7 days)

• Reporting in the event of an incident (e.g., forensics report, remediation plan)

• Financial penalties and remuneration for not protecting data.


• Focus on the right vendors

• Emphasize assurance versus information

• Expand coverage of assessments for all High Risk vendors

• Demand accountability from vendors

• Develop a strategy for small vendors

• Address emerging trends

• Off-shore vendors

• Cloud specific focus (e.g., Azure versus AWS)

• Privacy / use of data

Needs AttentionLooking Forward


• Board level report to summarize issues

• Benchmark practices

• Data to enhance vendor tiering

• Team with Cyber-risk scoring company to bring threat data and

know where exposure exists across vendor portfolio

• Scoring vendors based on collaboration, transparency, willingness

• Addressing emerging trends like hosting provider analysis, high-

risk geographies, privacy

To-DoLooking Forward


Question & Answer Period

Jay StewartAccounts, Markets, & Partners at CORL Technologies [email protected]

Michelle AllarQuality and Risk Management Manager at Wake Forest Baptist Medical [email protected]

42

Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing...

Documents

Transcript of Academic Medical Centers & Vendor Security: Most ...€¦ · 7/6/2018 · Data study providing...