Assessing Vendor Security Risks: The ChallengesSizing Up Where Healthcare Organizations Come Up Short
Although many healthcare organizations are becoming more mindful of the security risks posed by vendors, they're not consistently vetting these companies or adequately mitigating risks, says Andrew Hicks, vice president of risk assurance at the consulting firm Frazier & Deeter.
"A lot of organizations fall victim to [thinking] 'once the data is pushed off to a vendor, it's out of my sight, it's out of my control, and I don't have to worry about it,'" he says in an interview with Information Security Media Group.
But under HIPAA and other regulations, "you're responsible for ensuring that data is secured downstream," even when vendors are storing the data, he notes.
Hicks says too many organizations are still relying on a variety of non-standardized vendor questionnaires and "forced" risk assessments of third parties. He calls for a more standardized approach that takes into account "the different kinds of risks certain third parties pose to the organization."
In the interview (see audio link below photo), Hicks also discusses:
- Challenges involving cloud services providers;
- Struggles for the healthcare sector involving information security skills shortages;
- Other top cybersecurity challenges facing healthcare entities.
Hicks is vice president of risk assurance and national HITRUST practice leader at professional services firm Frazier & Deeter, based in Atlanta. He has about 20 years of experience in information security risk and compliance leadership. Until recently, Hicks was vice president of healthcare services at the security consultancy Coalfire.