Managing your vendors, or your supply chain, has become increasingly more important these days. As we’ve seen in the news just in the last several months, data and system breaches can come as a result of the vendors you work with. So, we felt like it was time to revisit this topic by reviewing the recent update to the HIC SCRiM guide that includes 6 steps for vendor management.
In this episode:
6 Steps for Vendor Management – Ep 317
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[04:37] Our old nemesis “HIPPA” is in full display lately with all the “internet experts” advising people to get a lawyer because they were asked about vaccination status.Can we just make it stop!
A NJ candidate doubles and triples down on the satirical “HIPPA” vs HIPAA comment. This is how we end up with all these problems, someone gets it wrong and digs in their heels rather than admit they were wrong. https://twitter.com/badhippa/status/1422638382665011201?s=12
She has continued to push this narrative to take down the “trolls” trying to get her to stop making such a public statement about something she clearly knows nothing about. Unfortunately, this has gotten her supporters fired up and on her side. See how these things get out of hand? Now, there is no amount of citations of law or guides or simple conversations to convince any of these people there is no such thing as “HIPPA” as the alternative to HIPAA. She has even used the headlines from the enforcement actions to substantiate her position that you can sue people under “HIPPA”.
https://twitter.com/BadHippa/status/1422617988084101128/photo/2
You “just can’t hide it”
Being in college during the early 80s I can’t help but see the Pointer Sisters on stage at Chastain Park with big hair and an 80s beat you can dance to. The pointer sisters – I’m so excited But that “I just can’t hide it” line is what seems to be happening a lot these days. The story documenting just one attack is missing reports by several health care entities:
Do not mess around with reporting your patient data breaches. The world today no longer hides things for you. It will come out and you will definitely look even worse when it hits the news or when you receive a call to OCR or the FBI. This article makes it clear that they have a list of several entities that have not reported a breach even though the data from their patients is clearly posted on a name and shame site run by the threat actors known as “Pysa” (for “Protect Your System Amigo”) after they exfiltrate and run their ransomware attack.
One of these organizations said they don’t recall any ransom notes, just IT problems back in March. If you had some “IT issues” you should be asking the person that “fixed” your IT issues what really happened. It wouldn’t be the first time we got wind of a MSP hiding a ransomware attack from their clients who didn’t know better. These cases are all bad situations that continue to get worse.
6 Steps for Vendor Management
[17:52] We discussed HIC SCRiM after it was first released near the end of 2019. That was just so very long ago! Well, it was certainly a different world than the one we live in now. Shortly after it’s release we went into this new world head first and by the time we started to work our way back to the new normal we were dealing with SolarWinds, Colonial Pipeline, Kaseya and more supply chain cybersecurity issues.In the midst of all of this, an update was published in Sept that gave us V2.
HEALTH INDUSTRY CYBERSECURITY SUPPLY CHAIN RISK MANAGEMENT GUIDE V2.0
A very handy part of the document is the section that takes you through how to meet the requirements of the NIST CSF Supply Chain Management outcomes. The very first one provides the general overview of what a program includes and what steps to take to build and manage one.
What is supply chain cybersecurity risk management?
[21:50] You start by defining that clearly for your business because all businesses run a little differently than others. If yours isn’t unique, use that same guide book you have run all your other decisions through.Meeting NIST CSF Requirement ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders.
[24:20] Step 1– The “broader context” of overall business risk is what you should keep in mind when evaluating supply chain cyber risk as it applies to potential impact to these areas:- Operational Risk – impacting day to day operations
- Safety Risk – impacting patients, employees, contractors, etc.
- Competitive Risk – impacting ability to achieve goals (may include; intellectual property, trade secrets, go to market, etc.)
- Quality Risk – impacting products, services and business practices (may include; product quality/sabotage/illicit re-use or re-sale, product service integrity, etc.)
- Reputational Risk – impacting damage to or loss of customer, business partner, or public confidence or perceived image
- Compliance Risk – impacting losses and legal penalties for failure to comply with laws and regulations
- Secondary Risk – transfer of risk to business partners (may include avoiding, reducing, or transferring risk)
- Geo-political Risk – impacts of political events or instability, trade barriers, taxes, or economies
Which ones of these do you consider a concern for managing your business risk?
[29:33] Step 2 – Now that you know that part, who is responsible for those things in your business? You have to assign ownership for managing that risk to someone. Even if that someone is you. But in this section is where one of the most important points we are talking about these days:Ultimately, supply chain cybersecurity is a business risk, and not a technology risk.
[31:53] Step 3 – Make a list of every supplier, vendor, service provider, consultant, external partner, third party or business partner etc. that you use in your business. Just like everything else, if you don’t have your hands around where you risk lives you will certainly not be able to keep an eye on it.
[33:00] Step 4 – Define or update your policies so it addresses what you just learned in the above steps.The guide has a great list of things to consider as metrics that let you understand your risk and how it is being managed. Select some of these so you can build your policies around them. A few examples are:
- Distribution of suppliers by risk level (more below)
- Distribution of suppliers by most relevant business risk impact
- Number of suppliers not covered by current security assessment (adherence to or coverage of supplier risk program vs. targets)
- Number of suppliers with known open risks and severity of those risks (effective when rendered as a supplier risk heat-map)
- Contract consistency (inclusion of security requirements)
- Volume of supplier assessments planned, in-process and up-coming
There are others but these are some pretty common examples we suggest you cover in your policies.
Setting the risk levels or tiers for suppliers as mentioned above is very important. As with everything we do, some cases are more concerning than others. It doesn’t mean that you shouldn’t worry about all your suppliers but it does mean that some of them are a much bigger concern than others. If you assign that risk level to each supplier you can define activities that must take place for those in that risk level vs others.
You can define those levels based on your understanding of the risk areas you want to worry about and your business risk appetite. How far do you want to push the risk management line before you get involved in asking the questions your suppliers need to answer?
Don’t worry there is a template to help guide you through making those determinations. It is pretty interesting how they created the formula for it but you get a score that makes it easier to get through that process. But, how you answer the questions that calculate the score are directly linked to how you see the business risk each supplier brings to the table.
[34:47] Step 5 – Now you know all of that, how are you going to use it to manage them? Set up a plan for ongoing management considering everything you have documented to this point.The guide includes a very nice risk assessment template in a spreadsheet. I just built a version of it in our ComplyAssistant tool to allow our clients to send these cybersecurity assessments plus one directly related to HIPAA compliance questions.
- How often will you assess different types of suppliers and different risk levels?
- How will you determine the risk levels the supplier’s answers create for your business?
- How will you address deficiencies and mitigation requirements and time frames?
Good news is the guide also has some suggested policies and procedures for handling these questions as well.
[35:35] Step 6 – Putting it all together for action.People, processes and technology. We have heard that a few times somewhere. The HIC SCRiM actually breaks into 4 parts:
- People – who will do what and when
- Processes – how will they do it and document it
- Tools – what will they use to accomplish the tasks
- Control – how will we monitor and manage the program to know if we are covered and it is working properly
Now you know the big picture, it is time to get started.
[36:43] Those are the big picture parts of the requirements. The additional sections do a deeper dive on how you actually go about doing these steps. Here are the detail sections for the rest of the NIST CSF SC outcomes:Meeting NIST CSF Requirement ID.SC-2: Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process.
Meeting NIST CSF Requirement ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
The requirements suggestions for these contracts are pretty interesting. It even mentions asking the supplier to confirm they are following the HICP 10 Practices to address the 5 threats.
Meeting NIST CSF Requirement ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
This guide includes a complete process with excellent steps and examples along with real templates to get you started. This publication was created to assist organizations, especially small and medium ones, in building a supply chain risk management program. There is no better way to create something you desperately need like this than with a very specific step by step guide.
Go get your HIC SCRiM’d!
Again, version 2 of the HIC SCiM guide provides excellent information on managing your vendors. It includes templates, example policies and procedures and even notes on contracts with your vendors. The guide follows the HICP practices and the NIST Cybersecurity Framework which are considered recognized security practices! So, go get this guide. I’m willing to bet you will learn a lot just by following it.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
