Topics:
This is part 1 of a two-part blog series written by Providence CISO Adam Zoller in which he will share strategies for vendor risk management in clinical engineering and cybersecurity. You can read part two here.
Third-party risk management is essential for organizations of all sizes, particularly in clinical engineering and cybersecurity. As organizations increasingly rely on third-party vendors and suppliers to provide critical services, it is more important than ever to understand and manage the risks associated with these relationships.
For example, numerous risks may be introduced by third-party relationships; they include:
Data breaches
Intellectual property theft
Financial fraud
Cyber incident(s) including ransomware
Disruption to patient care
Reputational damage
Many of the wins and momentum we have seen as a healthcare organization are due to reorganizing our clinical engineering teams under information technology, risk assessments, and internal remediations, and being far more intentional about vendor management and procurement to ensure cybersecurity is baked into each relationship.
As medical technology becomes increasingly networked, their associated security risks have risen dramatically and so it’s critical that the clinical engineering teams managing those devices work closely with your cybersecurity teams. I often see healthcare delivery organizations (HDOs) with biomedical device engineering aligned to organizations outside IT, or directly to an individual hospital.
This creates challenges—particularly when costs are involved—in getting the prioritization needed to remediate cybersecurity risks when they are identified. Without everyone being on the same page within your organization, it is extremely difficult to make sure your vendors are aligned with your cybersecurity goals. By bringing our clinical engineering teams and biomedical device management within our Providence IT structure, we are now able to jointly prioritize our efforts to remediate issues and reduce risk.
It is critical that you have security language in your MSA (Master Service Agreement) or BAA (Business Associate Agreement, a healthcare industry-specific document), and any vendor contracts. This should be standard as part of any vendor’s selection and procurement process. By setting the expectations, for your teams and external parties that cybersecurity is integral to purchasing decisions, you can enforce security standards at the point of maximum leverage. This allows you to legally hold your vendors accountable for doing things such as keeping the devices that they manage in your ecosystem up-to-date and patched.
By setting the expectations, for your teams and external parties that cybersecurity is integral to purchasing decisions, you can enforce security standards at the point of maximum leverage.
Crucially, with the right wording, it can provide you with the ability as a customer to directly secure devices that are vendor owned or managed within your ecosystem. So, make sure you have contractual language that covers you as an organization. If you want to install endpoint detection and response software or vulnerability management software on those devices, you need to ink that into contracts up-front, so you are not fighting with vendors to do that after the fact.
If you haven’t already done so, implement a third-party risk management program. This can include things like a third-party risk questionnaire and, depending on the answers to that questionnaire, a determination if additional information is needed to assess the cybersecurity risk a vendor may create.
As an example, at Providence when we are thinking about introducing a new biomedical device into our ecosystem, we do an initial security review and questionnaire. The answers then determine if a deep-dive architectural analysis is needed and whether compensating controls will be required. By doing this at the outset, we can ensure we are not introducing cybersecurity risk during new device purchase and deployment.
The best way to ensure that you are involved in all purchasing decisions is to include third-party risk assessments in the device and application procurement process before financial approval. Often the low bid is not the right bid.
We have had vendors try to sell us devices running end-of-life operating systems—yes, it looks like a sweet deal up front (especially for teams that may not have security in their title), but you’ve just inherited technical debt you’re going to have to clean up soon to ensure those devices have updated operating systems and security controls.
It is important to recognize that many of the devices and applications you are purchasing from third parties, especially in the healthcare delivery space, were not designed with security in mind. Instead, they were designed for ease-of-use and functionality. Doing these assessments allows you to better understand the risks you may introduce into your ecosystem and potentially create competition into the device purchasing process so you can leverage vendors against each other to negotiate security provisions into the contracts.
Adam Zoller is the Chief Information Security Officer for Providence, a national, not-for-profit healthcare system with more than 50 hospitals, 1,000 clinics, and locally driven programs administered by more than 120,000 caregivers.
