Vendor Risk Management: A Better ApproachCIO Aaron Miri Describes Components of a New Strategy
The risks posed by third-party vendors are a top concern for Aaron Miri, CIO of University of Texas at Austin's Dell Medical School and its affiliated UT Health Austin group practice. He explains steps he's taking to help mitigate those risks.
"Making sure you're staying on top of where your patient data is going, who is accessing what, and how those third parties are interfacing with you - and to what degree they are interfacing out to the world - is of top importance," he says in an interview with Information Security Media Group.
"It's as if you're giving the keys to your car to your neighbor, and your neighbor gives those very same keys to their neighbor, and so on and so forth. You have no idea what happens three or four steps down the line, unless you have a centrally managed and easy way to track that."
Managing medical device risk is of particular concern, the CIO says. A constant challenge, he says, is "understanding what the landscape is and where vendors are in mitigating risks on their devices that are suddenly entering into our ecosystems."
The Texas organization where Miri works has launched a concerted, multifaceted effort to bolster vendor risk management, he says.
For example, it's working with about a dozen other healthcare organizations to collaborate with software developer Censinet in designing a vendor risk management platform to help automate manual processes involved with vetting and tracking vendor risk.
UT Health Austin also is continually asking vendors to demonstrate how they're protecting data, Miri says. "Show us your latest scan results; show me your latest vulnerability. It is an active partnership."
In the interview (see audio link below photo), Miri also discusses:
- The challenges of medical device security risk management;
- Key areas of vendor security risk concern;
- Why foreign espionage is a top threat to the healthcare sector.
Miri is the CIO for the University of Texas at Austin, Dell Medical School and UT Health Austin, the school's affiliated clinical practice. In 2018, Miri was congressionally appointed to the Department of Health and Human Services' federal Health IT Advisory Committee, which was established under the 21st Century Cures Act. Previously, Miri served on the HHS Health IT Policy Committee established under the HITECH Act. Prior to joining the University of Texas, Miri served as CIO for security vendor Imprivata.