S1 E5: Effective Vendor Security Evaluations

Transcript

Jordan Eisner: Welcome to Compliance Pointers, where we aim to deliver in-depth and actionable information pertaining to information security, privacy, and regulatory compliance news, trends, and challenges. So if you haven’t already, make sure you subscribe today.

I’m Jordan Eisner, one of the hosts of Compliance Pointers and the VP of Sales for CompliancePoint, a mid-sized consulting firm specializing in helping organizations scale and reduce risk by ensuring data security and privacy operations.

With me once again, I have Carol Amick, Compliance Points Healthcare Practice Lead, and main HIPAA Guru, as I refer to her. Carol, great to have you again.

Carol Amick: Thank you, Jordan. Great to be here.

Jordan Eisner: In this episode, we’re discussing effective vendor cybersecurity management, a topic equally loved by organizations and their vendors, from my experiences at least.

So Carol, before we dive in, can you explain to our audience how you know a little something about this?

Carol Amick: Well, I’ve been working, as you said, in healthcare for a long time. One of the big things we’ve seen in healthcare is a large number of breaches of protected health information from business associates or vendors of companies. So the company itself didn’t necessarily have the breach and release your information out into the wide world web, but your partner did.

So you shared your data with somebody who you’re doing business with, and they have then done a breach. For example, in 2022, about 50% of the largest breaches were related to not the person who originally had the data, but someone they shared the data with for healthcare. So it’s a very big risk to companies and organizations who are providing data to their vendors, business associates, and partners. The liability often resides with the organization that originally got the data, so you need to know who is protecting your data and where it’s going.

Jordan Eisner: Did you say what percentage?

Carol Amick: So in healthcare, I was looking at 2022, and 52% of the largest data breaches would be those over half a million records. 52% of those were not from the healthcare organization that originally collected the data that had your PHI, but from someone they shared the data with. For example, mailing companies, collection agencies, people that read, they share the read the scans from your x-rays, your MRIs, a lot of different vendors who leaked the data onto the internet or out to bad actors after it was shared by the original developer of the data.

Jordan Eisner:  We’ll get into the Q&A. Let’s start with the softball. Why is it important to know what security procedures your vendors have in place? Beyond what you just talked about, right, with breach, right, and knowing if they’re going to, you know, be a secure operation to share data with, what about just the process of understanding policies and procedures? Why is that also important?

Carol Amick: If you’re sharing your data with a third party, you probably have some legal commitments at some point to protect it. So you need to understand what’s happening to it and whether it’s secure before you let it go just to protect yourself from that legal point of view.

Failure to do that is going to open you up not only to regulatory actions from state agencies, federal agencies, but we’re seeing a large increase in class action lawsuits. For example, one thing we’ve been working on at CompliancePoint relating to healthcare is how do we respond to class action lawsuits surrounding the release of protected health information from website trackers? So you have a tracker on your website and it’s releasing data to Facebook or to Google. That actually is potentially a breach of your protected health information. So you now have class action lawsuits. So there’s a huge risk. So you need to have a really good understanding before you share your data that it’s protected. But finding out afterwards that it’s not is probably going to be cost prohibitive.

Jordan Eisner: And for our listeners, if you’re interested further in the HIPAA and the web traffic and the implications of that, we did do another podcast on that. It was Carol and myself and you can listen to that one for a deeper dive into that.

So let’s talk about some of the common strategies for evaluating vendor security. And why don’t you, Carol, then give some color on each, although it’s probably going to be self-explanatory. But more importantly, I’d say the pros and cons, right?

So for starters, there’s agreeing to security requirements up front in contracts with vendors.

Important? Yes, no?

Carol Amick: I mean, you definitely want to have your contracts say that you expect the vendor to do the right thing. You definitely want to. And if you are, for example, if you’re a healthcare organization, you want to make sure your vendor is agreeing with HIPAA. If you are a partner of a healthcare organization and you are sharing your data downstream, they’re still required to agree with HIPAA. Same kind of thing if you’re required to comply with various other state and federal regulations. It’s not only what you do when you sign your agreement, but what people you share it with.

I think that’s the bare minimum. Failure to do that just would… I think any lawyer would be able to bust through any defense right away if you didn’t have a contract at the bare minimum.

Jordan Eisner: And so what would a con be?

Carol Amick: The con is where you think that’s enough. The con is when you say, okay, well, I’ve got a contract. They’re going to do the right thing. I’m off the hook. Because the truth is you’re not off the hook just because you got a contract. You really need to do a little more than just get the contract.

Jordan Eisner: That might be a good segue into the next one then. Beyond contracting, a company or an organization might conduct a review of its vendors’ policies and procedures. So we’ve captured in the contract, going to abide by HIPAA or other cybersecurity metrics, but this is going a little step further, right? Send us your policies, send us your procedures, or some sort of vendor security review process. Is that a good added step?

Carol Amick: I see companies do this a lot. It’s a good first step. It does give you an understanding of what an organization has committed to do internally, what they’re saying they’re going to do. It shows you if they have a framework, for example, did they base their policy procedures on things like NIST or ISO or other generally accepted security frameworks. So it gives you a very good framework coming into that. It gives you an idea of where they are.

You do want to, on the con side, you’ve got to make sure those are somehow implemented and you want to be sure that they’re really the policy procedures they’re using. And I’ll give you an example.

I got a set of policy procedures from a company one time to evaluate for security and I start reading them and it’s got a whole section on the loading dock. Now I happen to know that this company did not have any physical equipment that would ever require a loading dock. And as I kept reading it became very apparent that this was a set of policy procedures they bought off the internet somewhere and never even customized for their company. It was just, look, we’ve got security policy procedures now. So you want to look for red flags like that when you’re looking through them as a co to make sure that this is really what they’re doing, not something they’re giving you so they’ll get the business.

Jordan Eisner: So I guess you have to ask yourself, are we comfortable just contracting and having them test that they’re doing these things and that’s enough? Do we want to take a step further and look at the policies, look at the procedures and if we do so, are we going to do something about it? They don’t match up, right? I mean, that’s what you’re getting into with that.

Carol Amick: You are kind of getting into that. I feel like if you’re just relying on policy and procedures, you’re somehow going to have to figure out how does the company confirm they’re implemented. You’re going to have to get a good feeling about the maturity of the organization in terms of those policy procedures and whether they reflect reality. I mean, are they dependent on key people who maybe aren’t there anymore? Do they say insert company name here? That would be a red flag.

Jordan Eisner: What repercussions are the vendor potentially going to face? Are you going to cut them off as a vendor? Are you going to make them update those things? Maybe I’m putting the cart before the horse.

Carol Amick:  I haven’t seen a lot of repercussions from this. That would be something somebody would have to think about. I think generally what I see the policy and procedure review done is very early on in the procurement process. And so it may be that if they don’t have good policy procedures, some vendors just get tossed out early on the procurement process. I think at that point it is a good first step to get going. I’m not sure that particularly depending on what kind of data you’re sharing, how much data you’re sharing, etc. That for most good cybersecurity evaluations, that’s going to be enough. You’re going to have to go into another step.

Jordan Eisner: That makes sense. And I’m certainly in my experience and on the business development side, right? Familiar with vendor security questionnaires, not so much an assessment rather going to get to, but ultimately to your point, right?

Presale before you’ve contracted with them, show us your policies, show us your procedures, show them, you know, show us what’s applicable and how you. You know, implement these right or how you work around these not work around, but work that doesn’t play, right, how you don’t work around them ultimately.

So alright, well, moving on to the assessments, right? A self-assessment of vendor might perform and provide to the organization is working for or maybe a third party one that’s not necessarily associated with any sort of group or, you know, like high trust, something like that. And then of course, there’s the one that would be a certification through a third party such as HITRUST, right. And so we talked about so starting with the self-assessment.

Let’s go there. What are your thoughts on a self-assessment? What are the pros? What are the cons requiring that of the organization or maybe I guess more so even a vendor offering that to the organizations they’re going to be working with? Here’s our self-assessment.

Carol Amick: So this is one you see a lot where people will send to vendor a questionnaire and say, fill this out and tell us what we’re doing and waste on that. We’ll evaluate whether you can continue to be our partner and work with us. This has some pros. It’s generally from the point of view of the procuring company, it’s quicker. You’re just sending this thing out and getting it back. You go through it. You look for any problems, you move on. Most of the people getting them hate them because they are a lot of work to fill out. There are a couple hundred pages and a couple hundred questions usually and it gets long.

The other side of this is and I to tell this story a lot, but we had a company that was going to try to get a certification and they did a self-assessment just like this on their own. I’m convinced that what they really did was just look at the questionnaire and say, oh yeah, we have to do that. So I think that’s what you sometimes get is the person filling out the questionnaire looks at that and goes, oh, of course we do that. That’s something everybody does and just clicks yes. We’re in good shape without actually verifying that the control is actually being in place, that it’s really being done. Or even in the worst-case scenario, clicks yes on the theory that if we get this business, we’ll make enough money to implement that and we’ll be okay. So you’re trusting the honesty of the person trying to get it.

I would say you want to make sure it’s filled out by somebody in cybersecurity. That’s something personal, Jordan, but I certainly would not want the business development team filling out these kind of questionnaires.

Jordan Eisner: Sure, you have to consider prioritization. And that’s what makes a self-assessment, I think, tough for an organization or a company relying on that from a vendor. It’s not a distrust or honesty. It’s just a lot of times vendors or entrepreneurial organizations growing fast, people wearing a lot of different hats, and these security questionnaires or self-assessments can be a slowdown of business and create friction. Sometimes it’s just about getting them done.

Carol Amick: And I would say if you’re starting with a startup sometimes, and we’ve worked with clients on this, they may not always fully understand the questions. We’ve got clients who will call us up and say, we’ve got this questionnaire, can you help us because we don’t even understand what they’re asking. So if they don’t, if they’re a startup, a small startup, and they’ve got some fancy new system you want to use, they may have honestly answered it as best they can, but they may not have fully understood what you wanted.

Jordan Eisner: Well, then a step up from that would not be the certification, but maybe a third-party attestation. It’s not an official process, but it’s an organization like CompliancePoint, for instance, we provide not a HIPAA certification because there’s no HIPAA certification, right? But we provide an opinion, right? That an organization’s controls or policies and procedures are in line with HIPAA and their obligations. So how about this? I think it’s obvious why it’s a step up from a self-assessment, you get a third party involved, but talk a little bit more about the pros and cons of this route.

Carol Amick: I mean, I think this is a good route, particularly for, depending on the size of the various organizations. You want somebody who is independent. You’ve got a couple of options here. One is, yeah, you can get something like we’ve done already for a client. We do various evaluations of privacy programs, security programs, risk assessments, et cetera. We are always happy to work with you all and your clients on that. You can go do it yourself. If you have an internal audit function, for example, or you have somebody, cybersecurity who does that, you can go do your own audit. That’s an independent review of the evaluation. Either one of those is going to get you a good feeling for what’s going on in security. Now if it is an independent third party like what we do, you’re going to want to look at the scope and make sure it was what you wanted it to be looked at. I mean, obviously when an organization hires us a lot of times, they have us look at just one part of the business or something like that. So you want to be sure the scope is in there. That would be the con. It may not cover everything you want to cover depending on when it was done.

The other thing you do want to look at is timing. When was it done? I mean, these are not official certifications. They don’t require any redo. So you could be a couple of years old. And if it is, you probably want to make sure that everything that was documented there is still in place.

But it definitely brings up your level of assurance considerably. Particularly, for example, as I said, my background is in healthcare. Making sure they’re at least compliant with HIPAA, I feel like at least that you’re covering that law. When you had them sign that agreement that you’ve signed, it says they’re going to comply with the HIPAA regulation. Having that independent audit kind of proves to you that they did do that.

I would actually ask for an audit or a letter, a rep letter or something, because as you said, anyone particularly for HIPAA, can put HIPAA compliant on their website with a little logo. That really doesn’t mean much because the government has never officially approved a HIPAA compliance certification.

Jordan Eisner: And I know in my experience, we’ve done this in data privacy. We’ve done this with HIPAA. We’ve done this with other cybersecurity frameworks that aren’t necessarily certifiable, but something where you have a third-party opinion accession. A lot of times it comes after the vendor is already working for the company. So this is not so much a pre-sale thing, but they’ve said, oh yeah, we’re going to get that or we’re going to make sure we’re HIPAA compliant. We’ll get a phone call and say, okay, well, we just landed this big contract with this big business. Now we need to be HIPAA compliant in two weeks. Or something of that nature, right? Or we have to demonstrate our data privacy controls and that’s where we come in and help. So I would say another con would probably be that it’s going to cost more money than doing an assessment yourself internally through a vendor security questionnaire or just review of policies and time and likely going to require you to make some changes too.

Carol Amick: Yeah, and I think if you’re the procuring organization, you may get some pushback because it is going to cost money, but you want to be sure that your vendors, if they really tell you they can’t afford that, then there’s a question of where are they on the scale of can they afford what needs to be done too. These are not incredibly expensive reviews as a general rule.

Jordan Eisner: Clarify that too, right? It’s not going to necessarily cost the organization money. It’s going to cost the vendor money. But to your point, that could weed out some vendors.

Carol Amick: And we have had some companies who wanted to work with a company that’s smaller and starting up and have paid to have us review the operations of that partner, potential partner. So that could cost, in that case, it could cost you money too.

Jordan Eisner: Yeah, we’ve been fortunate enough as a business to be on both sides helping vendors with that decision that they are following security or privacy procedures and showing that to other organizations, but also working on behalf of organizations to vet their vendors.

So the last one, and we’ve hinted at this one a good bit, is third-party certifications. This is where, just to reiterate, I’m talking about HITRUST. I’m talking about ISO 27001. SOC 2, not a certification, but a third-party report, right? Or sort of attestation as to practices around data handling. So I know HITRUST, you know very well. So the other ones I’m sure you’re familiar with. I’m talking about the pros and cons of these.

Carol Amick: So these are based on, all of these, even SOC 2, are based on some guidance and regulations put out by a governing body. So you’ve got some very robust standards around what needs to go on in there. So that gives you that assurance that you’re looking at the controls and the risks that are out there right now. For example, one of the ones we do is work on this PCI. It was recently updated. And one of the reasons it was updated is because there have been significant changes to the threat environment out there. The same thing for HITRUST. HITRUST is updated at least annually to reflect changes to the threat environment. So that’s the real benefit of these.

They’re also, you know, they’re required to be periodically renewed and periodically reviewed by a CPA firm, somebody like us, a certified assessor. And the assessor firms and the CPA firms are all reviewed by a governing body. So the incentive is on us to make sure we’re doing the right thing because otherwise, we would be in trouble. So you have a lot of robust reliability built into those kinds of systems. It generally covers a bigger area and a bigger batch of controls than what we talked about a little while ago, sometimes these cybersecurity audits are fairly focused.

And I’ll go back to health care. We talked about the HIPAA audits we do. They’re focused really on the HIPAA regulations. Well, when you, for healthcare, the next step up in the security hierarchy, so to speak, is HITRUST. It not only looks at HIPAA, it pulls in a lot of the NIST controls. It pulls in a lot of the ISO controls. And considering that HIPAA is about 20 years over, 20 years old at this point, you know, those controls that are pulled into high trust are important that you may not be looking at when you look at HIPAA.

Phishing is a prime example. HIPAA was written well before email was the business methodology it is now. And so it doesn’t require that we look at phishing. Now we generally do ask our organizations, but if you would just go strictly by the regulation, it’s not really called out in there. Whereas if you go to HITRUST, it’s definitely called out as what are you doing about phishing? Are you training? You have some tools set up on your system to kind of block blatant spam that is definitely just trying to break into your system. So there’s a lot more robustness.

The other thing is from the point of view of you as an organization, you can look at that report and get some reliance much easier than spending a long time reading through questionnaires trying to decide if they really answer those questions right, understand what they might be saying. You’ve got a little more reliability. Once again, it can go a lot faster. Some of the organizations like HITRUST actually even do a report distribution system to send it to you directly, cutting out some of the back and forth. So I mean, there’s some real pros to it.

Jordan Eisner: I know you’re about to get the cons, but you too, right? Because you might have company X do a third-party evaluation of this vendor and company B do a third-party evaluation of this vendor and company C where HITRUST, right? It’s the same protocol, right?

Carol Amick: It should be. There’s this consistency across the framework and no matter who your HITRUST assessor is, who your PCI assessor is, who you’re, we’re all working off the same hymnal, so to speak. We’re all singing the same song, you know, we’re all working out the same book. So it’s very, it’s very consistent across frameworks and across organizations.

So that’s a real positive, I think if you are, and we are seeing, I don’t know, in healthcare, we are seeing more and more push to rely upon having these third-party assessments done because the covered entities just do not want to spend the time reading through your policies and procedures, interviewing you, asking questions. They want you to present it to them, not nicely tied up with a bow on it and they can decide if you’re secure or not.

Jordan Eisner: It’s time and money, right? And to scale a vendor operation or vendor management operation, which is becoming more and more vital, right? Because organizations, you got to scale it somehow. So you’re going to get into cons. I imagine one of them is big costs for the vendors, right? Long path to getting some of these certifications.

Carol Amick:  Yeah, the, the probably the biggest con is probably the cost. I mean, we do all these, you know, I think one of the most extensive we do is FedRAMP and everything I’ve seen on FedRAMP is, is outrageously expensive. So you know, these are very expensive certifications.

They do require a commitment and they require commitment, not just from the cybersecurity guys I’m dealing with, but from everybody in the organization, because they’re going to use some resources, they’re going to use time and they’re also not just going to be looking at cybersecurity.

For example, you know, both PCI and HITRUST, for example, look at your onboarding practices in great detail to make sure that you are bringing in people who are not going to compromise your system, or at least you hope you’re bringing in people who aren’t going to compromise your system.

So, you know, there’s, they’re going to involve other areas of the organization in addition to just the cybersecurity area getting these frameworks done. So the cost is then now it is, you know, what, what a lot way they advertise themselves is you do it once and then you provide it to all of your vendors. So are you going to save some money, maybe not filling out 25 questionnaires? That would be the goal is you’re, you know, not doing that, but there is a cost and then you may have to implement some controls.

For example, a lot of clients we have do this, wind up having to upgrade their logging system simply because these assessments require more detailed logging of read, write, the activities going on in their system than maybe they have now. They want some more automated reporting to meet these requirements than maybe they have now. So they may have to do some upgrades there. So there’s those costs too that you may get when you get into these certifications.

Jordan Eisner: Pros from the vendor side, marketability, I would say easier vendor review process, or at least that’s the idea. I know you see a lot of things out there, LinkedIn, especially, where somebody’s ISO certified, they have a SOC 2 report, they’re HITRUST certified, and then they still get a thousand-question vendor security questionnaire right from the organization hiring them.

Carol Amick: I think what we, you know, we, I think what you want to work with your, your partners on if you get those questionnaires, just try to get them to rely on these certifications if you’ve done them. I’m seeing that work more better and better, particularly in healthcare, it’s, it’s time where it gets out. You spent that money to prove that you were secure. Send them the report, see if they’ll take that. And, you know, we work with our clients, we will talk to their customers and their vendors and say, you know, this is what they’ve proven by giving you this. So, you know, we’re more than willing to do that too. And I’m sure anybody else’s decision firm would be just as happy to do that.

Jordan Eisner: So sort of in closing, right, last question, we’ve talked about these methods for vendor management. What are steps that you would recommend, right, to execute depending on the strategy, right, that the company, or maybe not even depending, right, the strategy they’ve chosen, right, what steps would you recommend?

Carol Amick: If you’re, the first step I would say is you need to know where your data is going. And one of the things we find interesting a lot of times when we start working with companies and we start, who are you sharing your data with? There may not be a good inventory of that. So the first thing you want to do is identify what they’re getting, what systems they have access to, you know, what, what is going on? Who’s got what? Who’s in your system doing stuff? Who are you sending data out to? Who are you taking data back in from?

Make sure you have a good data flow and you know everybody that’s involved. And I know that sounds basic, but unfortunately what we find a lot of times will be halfway through an audit and somebody will show up with, you know, company X that they’ve been working with for five years that nobody knew about. They were just shipping that off somehow. So make sure you know what’s going on there and what they’re getting.

And you want to know what they’re getting because that takes you to step two. You’ve got to kind of evaluate, okay, we talked about various methods. Depending on what you’re getting and what you’re sharing, you may have different security requirements.

You know, so if, if the organization is the mailing vendor, I talked about earlier and they’re just getting maiming addresses and they’re doing generic marketing mailing for you do you need the same level of security you might need with a population health management company in healthcare that’s getting my name, my address, my insurance information on my medical conditions? Maybe not.

Maybe you need more security in one case than the other. So you want to evaluate that so that you can prioritize what you’re going to do on the vendors. So the vendors who are high risk and have a lot of data, those are the ones you probably want to start working on and seeing what you, if you haven’t done a good assessment, see what they’ve got, see what you need to do. The vendors that are low risk you can put off a little while. So you want to try to prioritize this.

The other thing is you’ve got to repeat this. I can’t tell you how many times I’ve seen people who had great security and a key person turned over and left. And when that key person left, things started going south. And we’ve seen this when we come back in to do assessments. Did it year one, it was great, looked perfect, come back year two and we’re like, what happened? Well John quit and John had the keys to the kingdom and nobody really knew what John was doing. Well now we’ve got some problems. So you can’t just do it once and put it in a drawer and say, okay, we’re done, they’re in great shape.

You’ve got to repeat it periodically, maybe annually for your high-risk, annually for your low-risk, but you’ve got to stay on top of that.

Jordan Eisner: Well, Carol, thanks again for joining today and talking about these issues and thank you everyone for listening. As mentioned, make sure you subscribe and don’t miss future episodes. If you’re interested in learning more about CompliancePoint, check us out online, CompliancePoint.com. Subscribe with us at connect@CompliancePoint.com or reach out to Carol and me directly on LinkedIn.