More Health Data Breaches Tied to Vendor Incidents
Hacker Attacks Against Accellion, Other Vendors Expose Patient Data
… Keith Fricke, a principal consultant at tw-Security, suggests that healthcare organizations diligently assess the risks posed by vendors providing remotely hosted services or products.
“Organizations should have policies and contractual language addressing vendors accessing, storing, processing or transmitting sensitive information to or from overseas locations,” he notes. “Asking the vendor if they subcontract any services or labor is important.”
Fricke says healthcare organizations should demand to see all vendors’ security and privacy policies.
Entities should watch for certain “red flags” indicating that the vendor likely has an immature security program, he says. Those include policies that were put together in response to a request to review policies; policies with no metadata, such as policy author, policy approver, last review date, or revision number; and policies missing significant content.
“Criminals continue seeking out vectors of attack that provide them with unauthorized access to networks and data,” Fricke says. That’s why it’s more important than ever to scrutinize vendors’ security risks.