Beyond the Tip of the Iceberg:
Ensuring Stakeholder Assessments in Risk Mitigation Programs, by Jenn Behrens
We work with a wide array of healthcare clients, including clinical research organizations, pharmaceutical tech companies, mobile health record companies, health information exchange networks, medical research organizations, health information platforms and more, and it is very clear that healthcare organizations have very complicated networks of customers and vendors. Regardless of organizational growth, scale or business maturity, one of the imperatives for a strong security program is to make risk-informed decisions to safeguard your networks and data from the vulnerabilities and threats created by these stakeholders. This can only be accomplished through a comprehensive risk assessment program with all types of third parties that are part of your ecosystem.
Understanding the risk that other companies introduce into your network should not be a meaningless check-the-box exercise. Threat assessment projects are not high-profile, glamorous or fun, and if you’re looking to find a trigger point for a battle with your sales team, a risk assessment for a potential client is a sure bet. But the reality is that risk assessments are where it’s at these days, because there is tremendous risk that must be mitigated, and that requires consideration and commitment in order to protect your enterprise.
As part of Kuma’s commitment to this issue, I recently welcomed the opportunity to cover this subject and more by leading a healthcare-centric cybersecurity and privacy expert web event: The 4th Annual Cybersecurity Panel Discussion webinar, hosted by Answers Media Network.
An overarching goal of any security program is to minimize the impact of current risk and reduce the likelihood of accepting new risk into the organization. This is implicated by interacting with and/or integrating with other companies and products, and cannot be underestimated as a significant factor to overall organizational security. Understanding the risk that accompanies organizations entering your networks is often one of the least visible aspects to a company; however, time and again I see virtual blinders on to the importance of risk management programs with organizations.
As you design your assessment strategy, consider relevant federal and state legislation in addition to industry best practices and standards that may need to be factored into a comprehensive evaluation of risk. Top considerations typically include:
- Regulatory scope
- Industry standards
- Assessment audience
- Your proprietary, evolving or established best practices
Additionally, please consider that there are two target populations organizations to assess: customers and vendors. Each may carry various labels. For example, your organization may refer to their customers as clients, participants or consumers. Vendors may be referenced as contractors, subcontractors or service provider. Depending on the type of organization, and the type of data you exchange, both of these parties may have access to various levels of your network and data. This access carries risk, which you need to understand in order to determine how to proceed. And while risk assessments are sticky and tacky and can be time-consuming in the midst of a flow to close a customer or third party, they should be because it only takes one vulnerability to introduce significant risk to your enterprise.
The ability to make risk-informed decisions only comes from consistent and comprehensive evaluation of threats and vulnerabilities throughout your networks and systems inclusive of all third parties. The complexity of the systems of healthcare organizations is complicated by the sensitivity of the data flowing throughout these ecosystems of third parties, and the associated standards, compliance mandates, and audits that may result. We encourage every healthcare system, and any third party interacting with these systems, to embrace the risk assessment reality and to utilize the necessary practice as a way to enable processes in a more secure way of business.
While many companies choose to implement their risk and vulnerability practices as internal processes, an independent and objective partner can avoid blind-spots and bring current best-practice thinking to the table. If you believe your organization could benefit from help with any combination of risk program requirements, program management, or assessments, please consider Kuma as your go-to source for expertise.
Save the Date: September 11
LIVE: Facial Recognition Technology Panel Discussion:
Kuma will be hosting a Panel Discussion with some of the industry’s most accomplished subject matter experts:
- Jenn Behrens, EVP of Privacy, Kuma (Moderator)
- Joe Jerome, Legal Subject Matter Expert on Policy and the use of Biometric Data
- Mike Shapiro, CPO, Santa Clara County, CA
- Kevin O’Leary, Sr. Product Manager, Secure ID Issuance & Biometrics Solutions, Idemia
Follow us on Social Media for more details, or email us at: firstname.lastname@example.org to receive an email invitation to the event.