Why Vendor Due Diligence is Critical to Your Information Security

To stand out in today’s hyper competitive environment, a company must set itself apart from its competition by providing the most value to its customers in the most efficient way possible. To do this, most, if not all, companies today use vendors to perform various functions, such as assisting the company in processing, storing, or transmitting sensitive data. While utilizing vendors is necessary in today’s environment, companies should be wise to select the right vendor. A recent incident in the healthcare space exemplifies the risks a company undertakes when choosing to work with the wrong third party.

Recently, it was discovered by a cybersecurity firm that Meditab, a vendor that processes faxes that contain electronic protected health information (“ePHI”) for other healthcare organizations, failed to secure a server that stored and transmitted the faxes. This server, which didn’t require a password to access, stored 6 million unencrypted ePHI records. Since the server was left unprotected and because the ePHI was unencrypted, anyone could read the faxes – and the ePHI contained within the faxes – in real time.[1]

It goes without saying that requiring a strong password to access such sensitive data, as well as encrypting this data, are two of the most basic information security controls that companies should be utilizing. These fundamental errors could result in significant fines and penalties for both Meditab and the healthcare organizations to which the data belonged, depending on the extent to which the healthcare organizations knew of Meditab’s lackluster security controls. It’s important that businesses learn from this case by performing their due diligence prior to engaging its vendors as well as actively monitoring the vendors once the relationships are in place.

Recommended Due Diligence Practices for Vendors

To ensure that the right partner is selected, companies need to perform their due diligence before entering into a relationship with a vendor. However, before performing its due diligence, companies must document, through their own internal policies and procedures, the baseline requirements that future vendors must have in place before being allowed to act on behalf of the company. These requirements should address both the information security-related roles and responsibilities as it relates the vendor’s workforce as well as the controls the vendor utilizes in protecting the data with which it interacts.

The process of documenting these requirements is critical because it enables the company to receive input and buy-in from key stakeholders within the company about the types of security controls the company requires from its vendors. The company should not deviate from these baseline standards, and it should require the vendor, through a written contract, to always comply with these standards and controls. Doing so will ensure that no matter what changes the vendor makes to its business practices, the vendor will continue to adhere to the mandatory controls that are set forth in the written agreement with the company.

Once the company identifies a potential vendor, the company should then perform a risk assessment to determine what sorts of risks that vendor will pose to the company’s information systems and data. To minimize any risks that may be present, the company should require the vendor to identify the information system’s functions, ports, and other protocols necessary for the vendor to perform the contracted-for service(s). All unnecessary system ports, processes, and protocols should be disabled so as not allow the vendor to have more access than that is required for the vendor to perform the agreed-upon service(s).

As the relationship between the company and the vendor progresses, it’s important to monitor the services and security practices that are being performed by the vendor. To that end, the company should conduct regular progress meeting to review various reports, audit trails, security events, operational issues, as well as any failures or disruptions to the service(s) being delivered by the vendor. If during its review the company discovers any red flags, the company should investigate those issues to determine why they occurred and how to best resolve those issues.

Obviously, no company is perfect, and it’s not possible to prevent every bad or negligent act from a vendor. That being said, enacting these practices will establish both a baseline expectation regarding information security as well a process that allows for regular monitoring of a vendor to make sure they live up to their contractual obligations with the company.

[1]Zack Whittaker, “A huge trove of medical records and prescriptions found exposed,” Tech Crunch (last accessed April 4, 2019), <https://techcrunch.com/2019/03/17/medical-health-data-leak/>.