Posts

Vendor security risk management is not easy. It’s often a monotonous combination of spreadsheets, questionnaires, following up with people, and uncertainty. It’s often frustratingly tedious, and it can actually cause otherwise strong information security programs to falter. The best relief is to take a three-step approach to vendor risk management. Simplify. Standardize. Defend.

Simplify

Managing information security risk amongst a population of vendors and third-parties is a complex problem for most organizations, and therefore most organizations either don’t manage vendor information security risk management at all, or they don’t do it well.

Don’t Manage Vendor Information Security Risk at All

There are five common reasons why organizations don’t manage vendor information security risk:

  • They don’t have enough confidence in their own information security program.
  • They don’t have experience managing vendor information security risk; where to start or what it’s supposed to look like.
  • They don’t know what questions or things that they should inquire about.
  • They don’t know who all their vendors are.
  • They have other priorities, and don’t get the time to tackle vendor information security risk management.

Question: Why don’t you do vendor information security risk management?

Don’t Manage Vendor Information Security Well

There are five common reasons why organizations don’t manage vendor information security well:

  • Their vendor information security risk management program is incomplete; missing vendors, missing parts of information security, incomplete questionnaires, no scoring/comparison, shortcut inherent risk and/or residual risk, etc.
  • The vendor information security risk management program is painful to manage.
  • The vendor information security risk management is program is disorganized.
  • The vendor information security risk management program relies too much on subjectivity or opinion.
  • They’re just doing something for the sake of doing something. There’s no commitment to doing it right.

Question: What pains do you experience, or what concerns do you have about your vendor information security risk management approach?

Standardize

A vendor information security risk management program must be repeatable and standardized. Standardization enables the other two important features (Simplify and Defend). You need to be doing vendor information security risk management first to truly appreciate the value in standardization. A lack of standardization leads to run-away complexity and a program that is not defensible (against litigation, inquiry from regulators, etc.).

Defend

Defense comes in two forms:

  • Defense against the breach risk posed by your vendors
  • Defense against the lawyers, regulators, and angry customers if or when a breach occurs.

Defense from Vendors

We know that no matter what we do, we cannot possibly prevent all breaches from occurring. So, where are breaches most likely to occur?  According to a recent study conducted by Soha Systems, 63% of all breaches are attributed to a vendor, directly or indirectly. * It’s hard to deny the fact that a breach occurring through a vendor is one of the most likely breach events. There’s no excuse for ignoring the risks posed by vendors or taking a half-hearted approach to vendor risk.

There are five common mistakes organizations make in assessing risk related to vendors:

  • Vendor information security risk management is primarily done to meet a regulatory requirement or to “check the box.”
  • Shortcut solutions are implemented to assess and manage information security vendor risk.
  • The logic behind the vendor information security risk decisions is not tied to how risk works (inherent risk or residual risk).
  • Vendor information security risks are accepted without a clear understanding of the risks or the most effective methods of remediation.
  • High (inherent) risk vendor responses are not adequately validated.

Question: Where are there gaps in your vendor information security risk management program?

Defense from the Crowd

We already know that the most likely source of a breach is through a vendor. Even if we do everything that we can to reduce this risk, some risk will remain. When a breach inevitably happens, we need a defense against a whole new breed of attackers. Lawyers, regulators, public opinion, and our own customers become our attackers. They want answers and they want retribution.

Our defense becomes something called due care. Due care refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account.

Nobody expects perfection, but everyone should expect due care. Due care is where defensibility lives, and it’s imperative in our vendor information security risk management program. The question becomes, what would an ordinarily prudent or reasonable party do if they knew a vendor breach was eventual? Not accounting for vendor information security risk is indefensible.

For organizations with vendor information security risk management programs, here are some of the most common reasons why they could be less defensible:

  • Vendor information security risk decisions are subjective— or opinion-based.
  • Seemingly obvious information security risks are not adequately considered.
  • The personnel making risk decisions are not qualified to do so.
  • Roles and responsibilities for vendor information security risk management are not shared amongst qualified groups or are not formally defined at all.
  • The methodology used for vendor information security risk management is not shared by a group outside of your organization, or it is shared by a small group or organizations.

Question: Where is your vendor information security risk management program defensible, and where is it not?

Conclusion

SecurityStudio is the most comprehensive solution to simplify, standardize, and defend. It’s a vendor information security management solution that was built by former vendor risk managers who have walked the walk.

To learn more about how a solution like SecurityStudio can help your vendor information security risk management processes, schedule a demo.

 

Most people are relatively aware of the Health Insurance Portability and Accountability Act (HIPAA). It was created to make sure that medical records of patients remain safe, and that the medical providers accessing them are doing their best to ensure that’s the case. When most people think of HIPAA, they often go right to medical providers and hospitals. It’s important to understand that dental providers are also expected to adhere to HIPAA requirements. However, being HIPAA compliant poses challenges for dental providers. Here are some of those challenges, and what dental providers can do to combat them.

Failure to Identify Your Dental Practice as a HIPAA “Covered Entity”

Covered entities are required to follow HIPAA requirements. A dental practice is considered a covered entity if it transmits an electronic claim, payment, etc. to a dental plan or on behalf of a dental practice. It’s very likely that your dental practice is a covered entity and should be considering HIPAA requirements.

Missing Business Associate Agreements (BAAs)

Outside people or entities often have access to patient records and information. If your dental practice works with third parties of this nature, it’s important that you’re keeping tabs on them. Third parties are often root causes of breaches and data exposure. Continuously review your third parties and be sure you have BAAs for them.

Security Policies and Procedures

Well thought out, written plans are needed to ensure that your practice stays in compliance. Your HIPAA compliance policy should clearly state the responsibilities of your office and each staff member in protecting your patients’ private health information. The policy should clearly outline how your office handles and remediates various kinds of security breaches.

Training

Training employees is a critical component to HIPAA compliance, even for dental practices. Once you have your policies and procedures in place, it becomes critical that you train your employees on them. If someone’s job is affected by a change in your HIPAA policies or procedures, provide training on the change within a reasonable time after the change becomes effective. Training employees will limit the risk of breach.

Texting and Email

HIPAA applies to emails and text messages sent to a patient, such as for scheduling or appointment reminders. HIPAA also applies to emails and texts sent to another provider about a referral, with diagnostic images, or to discuss treatment. Here’s the kicker—HIPAA applies when a dentist emails patient records or information from a work email account to a personal email account, even if the dentist is doing so simply to finish up work from home later that evening. While HIPAA doesn’t prohibit using email or text to communicate patient information, it is important it’s done the proper way.

Social Media

A restaurant is very likely to respond to a Yelp, Facebook or Google review to either appreciate what has been said, or try to take corrective action. Dental practices must be a bit more careful. It’s easy to respond in a way that violates HIPAA rules. Ensure you and your employees understand privacy rules before responding to your practice’s reviews.

Other Media

As photos or videos are being taken of a patient there is the possibility that other patients may be included inadvertently. These photos and videos are quite often shared through social media and this can compromise those patients’ privacy. In addition, staff members of the practice might be included in the photo or video and this violates their privacy. Be cognizant of what is going on in the background of your images and videos so you do not compromise patient information.

Reporting Breaches

Breaches happen. It can and will happen to anyone at any time. It’s crucial that you understand what you need to report, and when. Covered dental practices must report all breaches of unsecured protected health information to the Office of Civil Rights, as well as to individuals and, in some cases, to the media. The bottom line is, have a plan for what to do in case an incident does occur, because it certainly can.

How can you get a better understanding of these challenges, so you know how to avoid and face them? A security assessment is a great tool to do that. Security assessments helps you identify where your gaps in security are. Once they’ve been identified, you can also use the assessment to develop action plans for improvement, meeting HIPAA regulations and proving to examiners that you have a strong data protection program. While there are many challenges as a dental provider to being HIPAA compliant and safeguarding patient information, getting a security assessment puts you on the fast track to understanding and preventing your patients’ data being compromised.