A new Fortified webinar, “Make Third-Party Risk Manageable,” will help you take steps to protect your organization from the security threats posed by vendors. This informative webinar is hosted by Melissa Adams, Fortified’s Director of Third-Party Risk Management, and Jared Michaels, Principal Solutions Architect.
Some of the largest healthcare breaches in recent years have involved third-party vendors, so it’s imperative to be proactive and team-oriented in addressing the problem.
The most important step is to establish a TPRM governance strategy for coordinating vendor contracts and renewals. This should be a team effort that involves compliance, IT security, legal, and procurement departments – with informed oversight by hospital leadership and the board.
Most hospitals have hundreds of vendor contracts, so it’s essential to identify the mission-critical ones: EHR, payroll, billing, etc. Determine what type of network access these vendors have and conduct a business impact analysis (BIA) to assess the risks involved if these products are compromised.
Standardizing The Risk Questionnaire
One of the biggest problems in third-party risk management is the glaring lack of a standardized questionnaire. Some organizations ask vendors far too few security-oriented questions because the assessments were drawn up by procurement or legal teams. And many assessments could use some pruning. You don’t need a 400-question assessment to cover the critical information.
A TPRM services company like Fortified can help you streamline your vendor questionnaire so that it’s thorough yet not cumbersome for companies to complete. It’s also important to review and refine security language in contract renewals. For example, you may want a vendor to provide penetration test attestation and proof of a designated amount of cyber-liability insurance before renewing a contract.
Incentives For Vendors
Most vendors aren’t waiting eagerly to complete your risk questionnaire, so it’s a good idea to offer a time-based incentive: complete this assessment by this date, and we’ll expedite the signing of your contract.
For vendors who have previously completed a rigorous questionnaire, you can streamline the renewal process by sending them a condensed assessment, e.g., “If these safeguards are still in place, check this box.” It’s important, of course, to address any new risk concerns that have arisen since the previous questionnaire.
Many Risks Aren’t Obvious
In the past year, various Node.js package manager (NPM) modules have been compromised in significant supply chain attacks. Malicious code was inserted into some widely-used packages that were then redistributed to software developers.
That’s why it’s a good idea to ask your software vendors to validate that they’ve checked their Javascript and Node.js code to make sure that it’s not corrupted and won’t infect your system.
Get Help From TPRM Experts
Fortified can help your organization implement a governance strategy that gains enterprise-wide buy-in from upper management and from compliance, legal, procurement, and IT security departments. We can also help you identify glaring omissions or redundancies in your risk questionnaires. A risk assessment can be up to date and thorough without becoming an all-day task for your vendors.
Watch the webinar to get advice from our TPRM experts, plus feedback from IT security professionals. Risk assessments can be thorough without turning into an administrative headache for either the healthcare organization or its business partners.
