Proactive Cybersecurity Vendor Risk Management

By Phoebe Fasulo

Posted on Feb 26, 2018

As more businesses incorporate automation to streamline services, proactive cybersecurity vendor risk management becomes more integral to ensuring continued organizational success. With data breaches affecting more organizations, the old cybersecurity motto of “trust but verify” must be integrated into vendor management programs.

Point-in-time risk documentation falls short

In many industries, vendor risk management oversight is managed exclusively using security control checklists and questionnaires. Often, the risk assessment process relies on trusting vendor responses at a specific moment in time. Without the use of automated technology, these methods create a risk analysis process based on trust but not verification. With the frequent changes to the information security landscape, this type of cybersecurity documentation and processes leads to potential risks.

The HIPAA privacy and security rules example

The interconnectedness of vendor ecosystems no longer allows companies to remain siloed in a given industry. For example, the Health Information Technology for Economic and Clinical Health Act (HITECH) applied the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applied the Security Rule and Privacy Rule to business associates. In other words, many businesses who previously escaped the burden of HIPAA compliance now need to ensure they enact appropriate security and privacy measures.

HITRUST expanded HIPAA’s reach beyond traditional health care providers by defining a business associate as any person or entity involved in the use or disclosure of protected health information (PHI). This broad term incorporates anyone from third-party healthcare claims processing vendors to certified public accounts whose services involve accessing PHI. In other words, any vendor you use to enable oversight of your employee healthcare program must be HIPAA compliant, including audit firms. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR), who oversees HIPAA compliance, mandates continuous risk assessment and management processes for organizations handling electronic protected health information (ePHI).

As part of the compliance process, HIPAA guidelines suggest the following security risk analysis procedure:

“Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to [electronically protected healthcare information] e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.”

The Security Rule requires you to implement policies and procedures for overseeing third-parties. Even though you are not a healthcare organization, you need to ensure that you document your third-party and fourth-party assurances. Continuous monitoring over your ecosystem enables this.

The future is regulated

Whether we like it or not, the increased number and severity of data breaches is bringing in Big Brother to help protect everyone. In 2015, the Office of the National Coordinator for Health Information Technology (ONC) set out a strategic plan for creating federal health IT goals that include increasing user and market confidence in the safety and safe use of health IT products, system, and care delivery. In other words, the strategic goals for 2015-2020 specifically increase regulatory oversight of healthcare information sharing.

Evaluating the risks to an entire digital ecosystem, therefore, becomes more challenging for small and medium-sized businesses who may not realize a vendor needs to be HIPAA and HITECH compliant.

Automation is key to more effective cybersecurity risk management

An automated and intelligent cyber risk monitoring solution, like SecurityScorecard, guarantees compliance with HIPAA’s continuous monitoring requirements by providing:

  • Timely insight into cybersecurity health
  • Highly accurate and objective cybersecurity reporting information
  • Prioritized and actionable security information.

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!