BLOG POST: Rise of the Little Guys | How Small Vendors Carry Most of Your Risk
Blog Post by Brian Selfridge, Partner at CORL Technologies
Did you know that over 86% of vendors servicing healthcare providers in 2020 are either in the Very Small (between 1-50 employees) or Small (between 51-500 employees) categories? That figure derives from analysis that was conducted in February 2020 of security assessments conducted on CORL’s database of over 50,000 healthcare vendors.
This latest analysis highlights a growing trend of smaller vendors dominating the healthcare vendor landscape and changing the way in which healthcare vendor security risk managers need to think about third party risk mitigation approaches.
Let’s dig deeper into the security posture and risk management practices of smaller vendors to identify adjustments necessary for managing risk at this scale.
Security Characteristics of Small Vendors
Smaller vendors tend to have limited in-house security subject matter expertise and leadership. As a result, some small organizations struggle to respond effectively to security audits due to lack of familiarity with the topics, terminology, and standard security program controls.
These companies also often only service healthcare and are not subject to due diligence expectations from other regulated industries (e.g. medical device vendors, population health management, clinical applications).
Smaller vendors are surprisingly much quicker to respond and complete security questionnaires and audits than their larger counterparts. While response time is more expedient for small vendors, the quality of responses and maturity of security controls often lags behind mid-size and larger vendors.
A Playbook for Managing Risks Introduced by Smaller Vendors
CORL recommends adopting the following practices for managing risk associated with small vendors.
- Require small vendors to carry cyber insurance coverage of at least $2M-$5M.
- Encourage or require the vendor to obtain a security certification such as HITRUST, ISO 27001 and SOC2 Type 2. If the vendor agrees to obtain a security certification, ensure that an appropriate timeline is agreed upon for accountability. CORL suggests 12-24 months.
- Encourage the vendor to maximize the subscription options for security with hosting providers such as Microsoft Office and Azure, AWS and Google.
- Prioritize the following control areas for security assessments of small vendors: encryption of data at rest and in transit, penetration testing, patch management, clearly assigned security responsibility, security awareness training and education, and employee background checks.
- Focus remediation efforts on the vendor’s high-to-medium risk findings uncovered during risk assessments.
- Require small vendors to agree to a remediation timeline for high and medium risk findings. CORL recommends a maximum of 30-day remediation period for high risks.
- Once the vendor has agreed to remediate high and medium risk findings, set a timeline for addressing the low risk items. CORL recommends that medium and low risk findings be addressed within 90-180 days.
- Encourage or require vendors to provide a third-party penetration test (internal and external network testing is recommended).
- Require the vendor to notify your organization as remediation items are completed or addressed.
- Require proactive reporting if there are any changes in the vendor risk profile including breach events.
- Include cybersecurity requirements and Service Level Agreements (SLAs) in contracts with small vendors including right to audit clauses, penalty clauses, and specific requirements for security control expectation consistent with the areas highlighted above.
The small vendor population is likely to increase as innovations in digital healthcare continue to be driven by the entrepreneurial zeal of startups and fledgling organizations. Healthcare entities must adjust their playbooks and assessment models to reflect the unique risks introduced by this swarm of small companies with access to large healthcare data sets.
Partnering with you to bolster your risk reduction efforts for your organization and throughout your vendor network is our mission here at CORL. Contact our team and let us know your thoughts and questions about managing your vendor security risk program. We’d love to hear from you.