Scrutinizing Cloud Vendor SecurityThad Phillips, CISO at Baptist Health Care, on Mitigating Risks
With cyber incidents involving vendors - including cloud services providers - surging, healthcare entities must step up scrutiny of their business associates as well as those companies' subcontractors, says Thad Phillips, CISO at Baptist Health Care in Pensacola, Florida.
"What I'm seeing is vendors moving cloud to cloud, so if you switch vendors and your data is already cloud-based, you need to … make that next migration safe to the next vendor," he says.
Entities should demand that their primary vendors are performing due diligence on their subcontractors. "You can get them on the hook for that," he says in an interview with Information Security Media Group.
When a vendor gets a new subcontractor, the vendor should make sure they've got a business associate agreement with that new partner, Phillips says.
He advises organizations to make sure all their vendors encrypt data in transit and at rest and that they store all data domestically. And he recommends asking for a SOC2 report and evidence of PCI compliance.
In this interview (see audio link below photo), Phillips also discusses:
- Other security challenges involving vendors and subcontractors;
- How the COVID-19 pandemic is changing healthcare sector cybersecurity;
- Top security priorities in the months ahead.
Phillips has more than 20 years of experience in healthcare IT security. He is enterprise CISO at Baptist Health Care, which includes three hospitals, four medical parks, a behavioral health network and an institute for orthopedics and sports medicine. He is also an adjunct faculty member at Tulane University and the University of Alabama at Birmingham.