Why Aren't 3rd Parties More Transparent About Breaches? episode artwork

EPISODE · Apr 19, 2023

Why Aren't 3rd Parties More Transparent About Breaches?

from Info Risk Today Podcast · host InfoRiskToday.com

Vendors should be more transparent and faster in communicating when they experience a breach or other security incident that affect clients' data, says Anahi Santiago, CISO at ChristianaCare. "Sometimes we find out about these incidents through our third-party monitoring systems," she said.

Episode metadata supplied by the publisher feed · Published Apr 19, 2023

Vendors should be more transparent and faster in communicating when they experience a breach or other security incident that affect clients' data, says Anahi Santiago, CISO at ChristianaCare. "Sometimes we find out about these incidents through our third-party monitoring systems," she said.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

Why Aren't 3rd Parties More Transparent About Breaches?

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

I'm Mary and Colby's executive editor at information security media group on that hymns here talking with Anahi Zatiego Who is this out at Christiana care? Hi? How are you? Good?

Thank you, Anahi now you were speaking at the conference about third-party risk What are some of the top challenges that you're dealing with these days concerning third parties? There are so many but I'll list the top I think one I think one of the most emergent challenges has to do with our now reliance on third parties to conduct business and the Availability of those third parties to keep us resilient often these third parties have incidents and become unavailable and Organizations have to scramble to figure out how to still continue to do business without the partner So now with that said, you know We see a lot of cyber security incidents including ransomware attacks on vendors and business associates in the health care sector that result in breaches and sometimes even Disruptions at the covered entity clients. What would you like to see vendors and business associates do better to reduce these risks to covered entities? Is there a common threat of weakness that you see often among third parties?

So I want to be out here to the third parties Incidents are going to happen and no amount of investment in information security can guarantee a hundred percent that they're not going to succumb to an incident So in terms of what we'd like to see them do better be more transparent be quicker to communicate when a breach has occurred Sometimes we find out about it through our third party monitoring systems or health ISAC and not necessarily directly from the vendors So if I could ask for one thing is better communication and what sorts of incidents are you seeing with third-party States? Is it more of a matter of you know their dependency on other companies and them sort of also being left in the dark? You know are they being subject to the same sort of attacks that the covered entities are what sort of makes of things are you seeing? I'm seeing the same thing that we're seeing with covered entities It's mostly ransomware and data exfiltration which is rampant across not just our industry But across all industries and so what we're seeing is pretty aligned with the rest of the world and when it comes to efforts to monitor Third parties more continuously rather than mainly when they're signed on to provide a service or product What's your advice to health care entities?

Is there anything that you're doing in your organization? You found particularly helpful or effective in managing third-party risk that other entities might want to consider doing We were talking about this in the session in terms of just the ability to scale is becoming really challenging when it comes to continuous monitoring So we do rely on third parties to that offer this kind of a service to do the monitoring for us And we also rely on organizations like health ISAC that come out You know on a daily basis with ransomware leak information other information about breaches and threats And so my recommendation to organizations is don't don't try to do this alone because it's really hard And it's not scalable so leverage the third parties and organizations out there available to help you augment your third-party risk management program And when it comes to continuous monitoring of vendors what sorts of things are you interested in seeing and knowing about? I'm interested in making sure that the security posturing controls that we agreed to Contractually and during the onboarding process are working effectively on that their score ratings aren't dipping significantly And certainly one of the things that I reference that we leverage these services for is alerting us when there's a potential breach Because we don't always learn from it from the vendor and are these Are they I don't know if they're all new requirements or maybe they're sort of evolving requirements Are they being built into a VA agreements or are vendors pushing back on any of these sorts of things not not the pushback Isn't there anymore at least not as rampant as it used to be when I started 18 years ago when the vendors would all say well Nobody's asking us to do this We all know that we were but now it's pretty standard practice to not only do the assessments up front but also to attach security terms Most of the contracts and what about addressing software vulnerabilities and third-party products any practices that you've found in your organization It helps you stay on top of these issues when they come up and how do you set your priorities when there's always Sometimes a flood of these things at once. Yeah, it's hard work You know it starts with requiring them to have a mature software development lifecycle that includes security.

It also, you know requirements around external reporting of vulnerabilities and responsible disclosures and really just holding the vendors accountable to what's in the contract in terms of Patch management vulnerability management communication and just overall cyber hygiene and do the requirements or your expectations of vendors Change much depending on the types of products that they supply. Yeah, software obviously and you can see where things might be more risky But then you have products like you know Smart TVs in the hospital rooms or things like that or OT sort of devices is that you know? How do you manage those sorts of vendor risks? So we have different standards for different types of vendors and the services that they provide as well as whether they're cloud or on-premise But I've always been of the belief that if it's connected to our network regardless of what kind of data it's processing It poses a risk to our network and and so for us if it's if it's attached to our production network We treat it like a risky thing and then manage that risk to acceptable levels And finally on any anything in particular when it comes to emerging technologies that you're kind of keeping a close eye on right now when it comes to security but also Technologies use my clinicians that they might be interested in using whether it's AI tools or whatnot that might pose security risk to you But you want to know about it, you know We are Christiana care is a very technology forward very highly innovative organization and we really like to embrace technology At the onset and so that presents unique but positive challenges for from an information security perspective because some of these things that are out there That we're leveraging Frameworks for security haven't necessarily been designed for them, but because we are so few so technology forward part of my role is to make sure that I am staying two or three steps ahead of the technology and Building out those capabilities so that when we're ready to start leveraging some of this emerging stuff We've got the framework in place to be able to enable our caregivers to be successful Well, thank you so much on a he I've been speaking to on a he San Diego I'm Mary Ann Kolbasek McGee of information security media group.

Thanks for joining us

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on April 19, 2023.

What is this episode about?

Vendors should be more transparent and faster in communicating when they experience a breach or other security incident that affect clients' data, says Anahi Santiago, CISO at ChristianaCare. "Sometimes we find out about these incidents through our...

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!