I'm Mary and Colby's executive editor at information security media group on that hymns here talking with Anahi Zatiego Who is this out at Christiana care? Hi? How are you? Good?
Thank you, Anahi now you were speaking at the conference about third-party risk What are some of the top challenges that you're dealing with these days concerning third parties? There are so many but I'll list the top I think one I think one of the most emergent challenges has to do with our now reliance on third parties to conduct business and the Availability of those third parties to keep us resilient often these third parties have incidents and become unavailable and Organizations have to scramble to figure out how to still continue to do business without the partner So now with that said, you know We see a lot of cyber security incidents including ransomware attacks on vendors and business associates in the health care sector that result in breaches and sometimes even Disruptions at the covered entity clients. What would you like to see vendors and business associates do better to reduce these risks to covered entities? Is there a common threat of weakness that you see often among third parties?
So I want to be out here to the third parties Incidents are going to happen and no amount of investment in information security can guarantee a hundred percent that they're not going to succumb to an incident So in terms of what we'd like to see them do better be more transparent be quicker to communicate when a breach has occurred Sometimes we find out about it through our third party monitoring systems or health ISAC and not necessarily directly from the vendors So if I could ask for one thing is better communication and what sorts of incidents are you seeing with third-party States? Is it more of a matter of you know their dependency on other companies and them sort of also being left in the dark? You know are they being subject to the same sort of attacks that the covered entities are what sort of makes of things are you seeing? I'm seeing the same thing that we're seeing with covered entities It's mostly ransomware and data exfiltration which is rampant across not just our industry But across all industries and so what we're seeing is pretty aligned with the rest of the world and when it comes to efforts to monitor Third parties more continuously rather than mainly when they're signed on to provide a service or product What's your advice to health care entities?
Is there anything that you're doing in your organization? You found particularly helpful or effective in managing third-party risk that other entities might want to consider doing We were talking about this in the session in terms of just the ability to scale is becoming really challenging when it comes to continuous monitoring So we do rely on third parties to that offer this kind of a service to do the monitoring for us And we also rely on organizations like health ISAC that come out You know on a daily basis with ransomware leak information other information about breaches and threats And so my recommendation to organizations is don't don't try to do this alone because it's really hard And it's not scalable so leverage the third parties and organizations out there available to help you augment your third-party risk management program And when it comes to continuous monitoring of vendors what sorts of things are you interested in seeing and knowing about? I'm interested in making sure that the security posturing controls that we agreed to Contractually and during the onboarding process are working effectively on that their score ratings aren't dipping significantly And certainly one of the things that I reference that we leverage these services for is alerting us when there's a potential breach Because we don't always learn from it from the vendor and are these Are they I don't know if they're all new requirements or maybe they're sort of evolving requirements Are they being built into a VA agreements or are vendors pushing back on any of these sorts of things not not the pushback Isn't there anymore at least not as rampant as it used to be when I started 18 years ago when the vendors would all say well Nobody's asking us to do this We all know that we were but now it's pretty standard practice to not only do the assessments up front but also to attach security terms Most of the contracts and what about addressing software vulnerabilities and third-party products any practices that you've found in your organization It helps you stay on top of these issues when they come up and how do you set your priorities when there's always Sometimes a flood of these things at once. Yeah, it's hard work You know it starts with requiring them to have a mature software development lifecycle that includes security.
It also, you know requirements around external reporting of vulnerabilities and responsible disclosures and really just holding the vendors accountable to what's in the contract in terms of Patch management vulnerability management communication and just overall cyber hygiene and do the requirements or your expectations of vendors Change much depending on the types of products that they supply. Yeah, software obviously and you can see where things might be more risky But then you have products like you know Smart TVs in the hospital rooms or things like that or OT sort of devices is that you know? How do you manage those sorts of vendor risks? So we have different standards for different types of vendors and the services that they provide as well as whether they're cloud or on-premise But I've always been of the belief that if it's connected to our network regardless of what kind of data it's processing It poses a risk to our network and and so for us if it's if it's attached to our production network We treat it like a risky thing and then manage that risk to acceptable levels And finally on any anything in particular when it comes to emerging technologies that you're kind of keeping a close eye on right now when it comes to security but also Technologies use my clinicians that they might be interested in using whether it's AI tools or whatnot that might pose security risk to you But you want to know about it, you know We are Christiana care is a very technology forward very highly innovative organization and we really like to embrace technology At the onset and so that presents unique but positive challenges for from an information security perspective because some of these things that are out there That we're leveraging Frameworks for security haven't necessarily been designed for them, but because we are so few so technology forward part of my role is to make sure that I am staying two or three steps ahead of the technology and Building out those capabilities so that when we're ready to start leveraging some of this emerging stuff We've got the framework in place to be able to enable our caregivers to be successful Well, thank you so much on a he I've been speaking to on a he San Diego I'm Mary Ann Kolbasek McGee of information security media group.
Thanks for joining us