Many healthcare organizations are failing to address shortcomings in security risk management for their supply chains, says former healthcare CIO David Finn, describing findings of a recent study assessing the state of cybersecurity in the sector.
“The supply chain risk assessment really has to start before you make a final decision” about bringing onboard a vendor, says Finn, executive vice president at the privacy and security consultancy CynergisTek.
“We very rarely see security and risk management as part of a request for proposal,” he says in an interview with Information Security Media Group. “And that really needs to be cooked into the process when you’re looking for a vendor, particularly if it’s a vendor that is going to have access to your technology resources, or more critically, your electronic health information or other patient information.”
Supply chain concerns were among a host of disturbing trends identified in the recent CynergisTek study examining healthcare risk management practices and the state of cybersecurity in the sector.
For example, the analysis found many healthcare sector entities “sliding backward” from 2017 to 2019 in implementing practices called for by the National Institute of Standards and Technology’s cybersecurity framework, Finn notes.
“To see the decline in 2019 numbers and then see this rapid expansion of the attack surface [amid the pandemic in 2020] … it’s really a scary situation for us to find ourselves in,” he says.
In the interview (see audio link below photo), Finn also discusses:
- Other trends identified in the study;
- Security challenges facing healthcare entities undergoing a merger or acquisition;
- Advice for improving security risk management programs.
Finn, executive vice president of strategic innovation at CynergisTek, previously was health IT officer at security vendor Symantec. Prior to that, he was CIO and vice president of information services at Texas Children’s Hospital, where he also served as the privacy and security officer. He has more than 30 years of experience in the planning, management and control of IT and business processes.