Posted on Feb 26, 2018
As more businesses incorporate automation to streamline services, proactive cybersecurity vendor risk management becomes more integral to ensuring continued organizational success. With data breaches affecting more organizations, the old cybersecurity motto of “trust but verify” must be integrated into vendor management programs.
In many industries, vendor risk management oversight is managed exclusively using security control checklists and questionnaires. Often, the risk assessment process relies on trusting vendor responses at a specific moment in time. Without the use of automated technology, these methods create a risk analysis process based on trust but not verification. With the frequent changes to the information security landscape, this type of cybersecurity documentation and processes leads to potential risks.
The interconnectedness of vendor ecosystems no longer allows companies to remain siloed in a given industry. For example, the Health Information Technology for Economic and Clinical Health Act (HITECH) applied the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applied the Security Rule and Privacy Rule to business associates. In other words, many businesses who previously escaped the burden of HIPAA compliance now need to ensure they enact appropriate security and privacy measures.
HITRUST expanded HIPAA’s reach beyond traditional health care providers by defining a business associate as any person or entity involved in the use or disclosure of protected health information (PHI). This broad term incorporates anyone from third-party healthcare claims processing vendors to certified public accounts whose services involve accessing PHI. In other words, any vendor you use to enable oversight of your employee healthcare program must be HIPAA compliant, including audit firms. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR), who oversees HIPAA compliance, mandates continuous risk assessment and management processes for organizations handling electronic protected health information (ePHI).
As part of the compliance process, HIPAA guidelines suggest the following security risk analysis procedure:
“Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to [electronically protected healthcare information] e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.”
The Security Rule requires you to implement policies and procedures for overseeing third-parties. Even though you are not a healthcare organization, you need to ensure that you document your third-party and fourth-party assurances. Continuous monitoring over your ecosystem enables this.
Whether we like it or not, the increased number and severity of data breaches is bringing in Big Brother to help protect everyone. In 2015, the Office of the National Coordinator for Health Information Technology (ONC) set out a strategic plan for creating federal health IT goals that include increasing user and market confidence in the safety and safe use of health IT products, system, and care delivery. In other words, the strategic goals for 2015-2020 specifically increase regulatory oversight of healthcare information sharing.
Evaluating the risks to an entire digital ecosystem, therefore, becomes more challenging for small and medium-sized businesses who may not realize a vendor needs to be HIPAA and HITECH compliant.
An automated and intelligent cyber risk monitoring solution, like SecurityScorecard, guarantees compliance with HIPAA’s continuous monitoring requirements by providing:
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.