Case Study: How IU Health Manages Vendor Security RiskCISO Mitch Parker Describes Critical Steps in Reducing Third-Party Risk
What are some of the most important aspects in managing vendor security risk when taking on third-parties to handle sensitive data? Mitch Parker, CISO of Indiana University Health System, explains critical steps his organization is taking.
For instance, among "the big items" IU Health looks for from its vendors is a high level of commitment in "staying current" with and acting quickly in addressing vulnerabilities, he says.
That means "you're going to keep your application current on a given set of operating systems, libraries and other supporting software," he says in an interview with Information Security Media Group.
"It also means a commitment to excellent levels of service for vulnerability management," he says. "Within X number of days of a vulnerability coming out, you commit to patching it."
'Commitment to Standards'
Another key consideration is the third-party working with IU to federate identities "so that we don't have to have people with more than one password" and two-factor authentication for access to applications, he says.
"We look for a commitment to meet our standards," he says.
"Any vendor that has any personal information of our patients is one that worries me the most," he says. "Organizations like ours are driven by the patients that we serve. So any kind of breach in data [security or privacy ] for them is a break in that trust."
What IU looks for "isn't a checklist to say 'I'm compliant with framework X, Y or Z - or a [certain] product," he says. "We're looking for a commitment for continual risk management - and the work and partnership with our organization to address any discovered risk."
In the interview (see audio link below photo), Parker also discusses:
- "Evidence" he seeks from vendors in order to measure and monitor whether the third-parties are adhering to the security practices and controls they've agreed to put into place;
- Situations where vendors "push back" the most in terms of implementing practices that can help reduce security risk;
- The differences and similarities in managing security risk of business associates handling protected health information under HIPAA versus other vendors, such as those third-parties handling credit card data.
Parker is CISO at Indiana University Health System, Indianapolis. He formerly served as CISO at the four-hospital Temple University Health System as well as CISO for Temple's clinical faculty practice plan, Temple University Physicians. Previously, he was an information security consultant to the Defense Logistics Agency and others.