Cyber Resilience

Clinical Engineering Vendor Management Wins, Part 1

Adam Zoller
Nov 1, 2023

This is part 1 of a two-part blog series written by Providence CISO Adam Zoller in which he will share strategies for vendor risk management in clinical engineering and cybersecurity. You can read part two here.

Third-party risk management is essential for organizations of all sizes, particularly in clinical engineering and cybersecurity. As organizations increasingly rely on third-party vendors and suppliers to provide critical services, it is more important than ever to understand and manage the risks associated with these relationships.

For example, numerous risks may be introduced by third-party relationships; they include:

  • Data breaches

  • Intellectual property theft

  • Financial fraud

  • Cyber incident(s) including ransomware

  • Disruption to patient care

  • Reputational damage

Many of the wins and momentum we have seen as a healthcare organization are due to reorganizing our clinical engineering teams under information technology, risk assessments, and internal remediations, and being far more intentional about vendor management and procurement to ensure cybersecurity is baked into each relationship.

Organization Matters: Clinical Engineering Within IT

As medical technology becomes increasingly networked, their associated security risks have risen dramatically and so it’s critical that the clinical engineering teams managing those devices work closely with your cybersecurity teams. I often see healthcare delivery organizations (HDOs) with biomedical device engineering aligned to organizations outside IT, or directly to an individual hospital. 

This creates challenges—particularly when costs are involved—in getting the prioritization needed to remediate cybersecurity risks when they are identified. Without everyone being on the same page within your organization, it is extremely difficult to make sure your vendors are aligned with your cybersecurity goals. By bringing our clinical engineering teams and biomedical device management within our Providence IT structure, we are now able to jointly prioritize our efforts to remediate issues and reduce risk. 

Get Security Written into MSAs, BAAs

It is critical that you have security language in your MSA (Master Service Agreement) or BAA (Business Associate Agreement, a healthcare industry-specific document), and any vendor contracts. This should be standard as part of any vendor’s selection and procurement process. By setting the expectations, for your teams and external parties that cybersecurity is integral to purchasing decisions, you can enforce security standards at the point of maximum leverage. This allows you to legally hold your vendors accountable for doing things such as keeping the devices that they manage in your ecosystem up-to-date and patched. 

By setting the expectations, for your teams and external parties that cybersecurity is integral to purchasing decisions, you can enforce security standards at the point of maximum leverage.

Crucially, with the right wording, it can provide you with the ability as a customer to directly secure devices that are vendor owned or managed within your ecosystem. So, make sure you have contractual language that covers you as an organization. If you want to install endpoint detection and response software or vulnerability management software on those devices, you need to ink that into contracts up-front, so you are not fighting with vendors to do that after the fact.

Security Reviews Aid in Managing your Risks

If you haven’t already done so, implement a third-party risk management program. This can include things like a third-party risk questionnaire and, depending on the answers to that questionnaire, a determination if additional information is needed to assess the cybersecurity risk a vendor may create. 

As an example, at Providence when we are thinking about introducing a new biomedical device into our ecosystem, we do an initial security review and questionnaire. The answers then determine if a deep-dive architectural analysis is needed and whether compensating controls will be required. By doing this at the outset, we can ensure we are not introducing cybersecurity risk during new device purchase and deployment.

Build Security into Procurement

The best way to ensure that you are involved in all purchasing decisions is to include third-party risk assessments in the device and application procurement process before financial approval. Often the low bid is not the right bid. 

We have had vendors try to sell us devices running end-of-life operating systems—yes, it looks like a sweet deal up front (especially for teams that may not have security in their title), but you’ve just inherited technical debt you’re going to have to clean up soon to ensure those devices have updated operating systems and security controls.

It is important to recognize that many of the devices and applications you are purchasing from third parties, especially in the healthcare delivery space, were not designed with security in mind. Instead, they were designed for ease-of-use and functionality. Doing these assessments allows you to better understand the risks you may introduce into your ecosystem and potentially create competition into the device purchasing process so you can leverage vendors against each other to negotiate security provisions into the contracts.

Cyber Resilience
Adam Zoller
Chief Information Security Officer

Adam Zoller is the Chief Information Security Officer for Providence, a national, not-for-profit healthcare system with more than 50 hospitals, 1,000 clinics, and locally driven programs administered by more than 120,000 caregivers.

Stay in the know

Get the Nexus Connect Newsletter

You might also like…

Read more

Latest on Nexus Podcast