Getting a Tighter Grip on Vendor Security Risk in Healthcare
Glen Braden, CIO of Attest Health Care Advisors, on Vetting Third PartiesDespite the high frequency of major health data breaches involving vendors, many healthcare sector entities remain lax in their approach to manage and reduce third-party security risk, said Glen Braden, CIO and principal of compliance auditing firm Attest Health Care Advisors.
"Everyone needs to be looking at their vendors and their risk, and I don't think everyone is looking at it at this point," said Braden, who was an adviser in the development of a new guide recently released by the Health Third Party Trust - or HTP3, a council of healthcare sector CISOs and other security risk leaders focused on ways to reduce vendor risk.
Assessments by independent testing and certification bodies, such those involving the HITRUST Common Security Framework, can potentially assist in better managing third-party risk, which is among the recommended practices including in the guide, he said.
"Certification is a good step to go," he said. That's because the validation process of third parties seeking HITRUST certification, for example, involves regular security screenings. "If something's not appropriate, there's the corrective action plan," he said. "If there is a risk or something that needs to be corrected, that's followed up," he said.
In the interview (audio link below photo), Braden also discusses:
- Key findings by a recent Health3PT survey examining third-party security risk;
- How to avoid common vendor risk management mistakes;
- Other recommended best practices included in the new guide.
Braden is a principal, the CFO and the CIO of Attest Health Care Advisors. He led Attest’s adoption of the HITRUST Common Security Framework and its HITRUST Certification in 2016 and has over 30 years of experience working in managed care.