20592050 risk management processIn Oct 2019 another document was released by the Health Sector Coordinating Council Joint Cybersecurity Working Group.  Health Industry Cybersecurity Supply Chain Risk Management Guide or HIC SCRiM, for short, is aimed at helping small and medium sized healthcare organizations manage their supply chain vendors. If you haven’t had a chance to check it out, we are reviewing it for you today.  If you do review it, you will see why we think that HIC SCRiM should wake up vendors.


A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

HIC SCRiM Should Wake Up Vendors – Ep 247

The HIPAA Boot Camp

2020 Session Dates

August 18, 19, 20

Tucker, GA

2020 Fall Session Dates

Sept 15, 16, 17

San Pedro, CA

For info go to TheHIPAABootCamp.com

Registration Form


Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

 If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

Let’s take a moment to talk about COVID-19.  Ironically, our episode on it was published the week that everything changed.  When we recorded it two weeks ago we knew it was coming but the timing was in no way planned.  The suspension of all of the professional sports seasons, HIMSS and other conferences canceled, schools closing, and so much more happened just in the last few days as we record this episode.  As always, I stay focused on statistics and science, not politics and spin when it comes to these things.

When I saw the video post of a man who has a bad case of the virus in Rome, GA, I had a privacy and security meltdown.  Listen to this podcast episode to hear what happened.

HIC SCRiM Should Wake Up Vendors

We have many times discussed the importance of vetting vendors.  This document is specifically designed to help healthcare organizations evaluate the risk they face in their supply chain.  I think it is important to note that they specifically point out that this guide “is primarily written for leadership in small to medium sized organizations”.  Let’s just get that part out of the way from the beginning.

[the guide] is intended to provide actionable guidance and practical tools to enable those organizations to manage the cybersecurity risks they face through their dependencies within the health system supply chain. The hope of the co-chairs is that by enabling these organizations to demand secure products and services from their suppliers, we will leverage market forces to raise the bar across the healthcare supply chain to the benefit of all.HIC SCRiM, Foreword from the Co-Chairs

What is in HIC SCRiM?

HIC SCRiM, just like HICP, uses the NIST CSF as its point of reference.  Of course, this one has to use version CSF 1.1 since that is when supply chain management was added.  They took the outcomes expected when meeting the NIST CSF requirements in the supply chain risk management category.  Of course, it is also aligned with HICP since they both came out of the Health Sector Coordinating Council Joint Cybersecurity Working Group.

The three requirements the guide addresses are:

  1. What policies, procedures, roles and responsibilities should be defined and how will your organization treat vendor management overall, not just BAs.
  2. How do you get started building all those things and keep it moving once you start.
  3. Specific guidance and tools for the contract management process.
Ultimately, supply chain cybersecurity is a business risk, and not a technology risk.
One of the nice things about HIC SCRiM is that it includes templates for assessments, workflow diagrams, and specific requirements and language to use in your policies, procedures, and contracts to address all of this.  Let’s go through a few of them.

What do you need to do?

Here is the list of what and how steps suggested with instructions.

  • Definition of Supplier Risk Areas
  • Definition of Roles and Responsibilities
  • Definition of Supplier Scope
  • Establishment of Policies and Procedures
  • Definition of a Supplier Risk Assessment Approach
  • Supplier Risk Management as Part of Business Operations
  • Define Organization’s Supplier Risk Management Policy, and Establish Roles and Responsibilities
  • Identify Suppliers
  • Prioritize Suppliers
  • Assess Supplier Risk
  • Respond to Supplier Risk Assessment

The contract section includes 5 specific types of guidance.

  1. Limitations of contracts to mitigate, transfer or avoid risk
  2. Sample contract language (regardless of which of the contracting party’s paper is being used)
  3. Contractual redlining process against template language
  4. How the buyer might obtain assurance that the terms of the contract are being fulfilled
  5. Other contractual forms of risk transference and avoidance (e.g., cyber insurance).

The details included a reference to HICP to assist in the assessment of your vendors.  One section makes some great points about how to understand security in different types of organizations.

Unfortunately, suppliers may have little incentive to provide transparency, especially to smaller customers with less leverage/purchasing power. Moreover, even if such transparency were provided, small organizations have limited capacity and capability to digest and understand the information. Therefore, for small organizations it is important to focus on the most important supplier relationships based on potential impact. In addition, consider the following:

  • Security is expensive. A supplier may be cutting costs of their security program to reduce overall IT expenses.
  • Security is hard. All other things being equal, larger suppliers (with more demanding larger customers) are more likely to have the scale which enables them to secure their products and services, whereas smaller companies may find this more challenging.
  • Security is a moving target. Whereas functionality may still meet the need five or ten years from now, the security may no longer be adequate as security threats are constantly evolving. Consider the useful life of the product and beware high-risk engagements with little in the way of long-term relationship or support.
  • Regulatory compliance is not equal to security. Healthcare is a highly regulated sector of the economy, and while the FDA is increasingly taking an interest in cybersecurity, especially in the medical device space, compliance with regulation does not necessarily mean good security. A security program that is designed to only comply with regulations may be putting an organization at significant risk.
  • Indicators of good practice. While your organization may not be able to audit a supplier or test the security of their products or services, there are still indicators of good practice:
  • The supplier proactively tests their controls or has them independently audited
  • The supplier demonstrates openness and transparency about their security controls
  • The supplier has industry certifications such as ISO 27000, SOC 2, or other proprietary for-profit 3rd party certifications. Their products may comply with standards such as NIST CSF or FIPS 140-2. While these indicators have limitations, they may point to a company culture that embraces the need for good security practices.
  • The supplier holds cyber insurance. While cybersecurity insurance is still an evolving field, underwriters often ask businesses for minimum levels of cybersecurity maturity before they are willing to assume a company’s risk by selling them a cybersecurity insurance policy. This is therefore another potential indicator that the company is doing the right things.

Templates included have spreadsheets for taking an inventory of your vendors, a policy template, contract language template, and even a spreadsheet for vetting the vendors.  A nice feature is the information includes things that apply to all vendors and then sections that apply to specific types of vendors.

Vendors should use HIC SCRiM now

If you are a vendor and not looking into this information now, you will be shocked when some of this stuff lands on your desk at some point.  Many vendors have claimed our assessment was over reaching even with its very simple question and answer format.  This process covers everything we include in our recommended policies and procedures just different language and way more details.  Listen to the podcast to hear what some of the questions are on our assessment questionnaire.

We had an episode almost 2 years ago explaining why vendors should get ready for this kind of vetting:  Ready for extreme vendor vetting? – Ep 150.  Back then we were doing it and saw others starting to do it as well.  Wake up if you haven’t yet, now is the time to get ahead of this thing.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.