Healthwise Case Study
“We like our vendors to have “A’s” or “B’s.” If their score drops, then we look into it.”
The Customer
Healthwise is a global provider of consumer health content and patient education for the top health plans, care management companies, hospitals and consumer health portals. It is a non-profit organization that has been in operation for more than 40 years. Healthwise is dedicated to providing health information, decision support tools, behavior change assistance, and personal care planning for millions of people yearly. Healthwise is an essential resource that many people rely on in order to improve their lives.
Healthwise’s Approach to Security
Healthwise has evolved from providing pre-internet information sources, like physical handbooks and reading material, to mainly providing digital content. Adapting to a new way of providing information affected Healthwise’s approach to data security.
At the start, third-party security was not defined as a top priority for Matt Berther, Director of Solutions Architecture and Security, because at the time, the patient education information Healthwise provided was not subject to the stringent security regulations that other healthcare companies experienced.
However, as Healthwise grew and partnered with other solutions, Berther saw the need for individuals to use their protected health information (PHI) in conjunction with Healthwise’s information to make better and more informed decisions. This required a change in Healthwise’s information security measures, because PHI is extremely valuable, regulated, and often the focus for hackers. Ensuring Healthwise’s third parties were secure became an absolute business necessity.
The Challenge
As its business model changed, Healthwise began to use third parties for critical services such as hosting operations and product delivery. While Healthwise was doing its part in securing sensitive information (for example, by providing cybersecurity awareness training to its employees), they still needed to be confident that third parties were doing the same.
They used the following process: Third parties were primarily categorized by whether they hosted services critical to Healthwise’s infrastructure or if they were tied to product delivery. Then, the third parties were categorized once more into vendors that were critical for business versus those that were not as well as vendors that were internally facing versus those that were not.
Here’s where the problem arose. Even though Healthwise used this classification system in conjunction with point-in-time security assessments and questionnaires to help prioritize security when partnering with critical vendors, it wasn’t enough. Berther and his team still needed independent validation of findings and a way to continuously monitor the security posture of the third parties. They felt that the point-in-time assessments were subjective and quickly outdated; as a result, they didn’t offer a true reflection of an organization’s risk or security posture.
The Solution
Healthwise found that SecurityScorecard’s risk monitoring platform was the ideal solution to its third-party risk management challenges. Healthwise has integrated the platform as part of the new third-party due diligence process. SecurityScorecard helped Healthwise set up a manageable approach to vendor risk management, allowing Berther and his team to define granular requirements related to security issues, and providing Healthwise with a tool to evaluate itself.
Setting Up a Broad Approach to Vendor Risk Management
When assessing individual third parties, Healthwise reviews the overall security rating and enables alerting for any third party that drops under an overall “B” rating. The alerting tool allows Healthwise to quickly look at any third party and pinpoint the issues that dropped their score to begin the remediation process. Additionally, the company was also able to set up a baseline for incoming third parties, requiring further due diligence and attention for any incoming third party with a score of “C” or lower.
This simple system is made even more manageable by the portfolio feature of the platform. Here, Berther separate third parties by their services and criticality in order to better prioritize remediation efforts and to gain insights into how a change or multiples changes in security scores can impact the big picture for Healthwise.
Assigning Actions Based on the Detailed View of Vendor Risk
In addition to the scores allowing for a high-level overview of vendor risk, Healthwise found that the SecurityScorecard platform offered a comprehensive view of each third party from a hacker’s perspective. The ten critical security categories provided Healthwise with unique details regarding everything from an organization’s network security and malware presence, to hacker chatter and social engineering. Being able to see these details dramatically increased Healthwise’s ability to mitigate risks created by any of their monitored vendors.
This is especially important, because within the 10 security categories, there were a number of issue types, critical to Healthwise, that incoming third parties needed to be free of. If they were not, they were subject to more rigorous due diligence. For example, if an organization was found to not have a Sender Policy Framework (SPF) record, this may have only brought the Domain Name System (DNS) Health rating down from an “A” to a “B,” but Healthwise considers it mandatory that the issue be resolved, despite the organization’s “B” score.
An Added Benefit: The Self-Assessment
Beyond risk management for vendors, the Healthwise team also found that the platform was invaluable in assessing their own security posture. In conjunction with a cloud security tool that protected its third-party hosting provider, Healthwise now relies on SecurityScorecard’s on-demand information to ensure the security of its data.
Conclusion
Overall Healthwise has evolved its approach to third-party security as its own business model evolved. By using SecurityScorecard’s tools and platform, Healthwise was able to seamlessly transition from just considering security as a factor in partnerships to making security its top priority in selecting and monitoring its vendors. Simply put, SecurityScorecard gave Berther and his team visibility over how Healthwise’s vendors protect against a broad set of security threats. Armed with more information and more visibility, Healthwise is able to have confidence that its vendors are securing sensitive information as well as they were.