Mitch is the CISO at IU Health. He has done a significant amount of work in researching the effects of cloud and distributed computing, network-based threats, compliance, and privacy and security requirements on connected health devices. Mitch works collaboratively with a number of EMR, infrastructure, and biomedical equipment vendors to improve their security postures and provide a better quality of service. He currently resides in Carmel, IN, with his wife, two children, and two cats.
How to take the 'suck' out of supplier risk management – a story about how we did it
IU Health is a healthcare provider with over 1,300 vendors. We face risks of scale. We needed to come up with means by which we could state our requirements, evaluate vendors for risks, and credibly present that we had addressed risks.
Current third-party vendor risk solutions do not present the requirements for a risk-based approach needed to address the intent of regulations. A score based upon controls we have no insight into and reported data breaches does not provide evidence of risk mitigation. The processes used by most organizations revolve around Business Associate Agreements to address security terms and conditions and detailed commitments to controls are not made.
Our challenge, the same faced by many organizations, was insurmountable workload in managing our supplier risk. We were overloading our attorneys, our third-party risk team, and several outside firms, along with vendors.
So, we spent a year and a half on researching this problem. We interviewed practitioners, CISOs, vendors and peer institutions. We developed security standards for emerging technologies. We examined upcoming standards and sent recommendations and shared our ideas with vendors.
We published this work on our website on November, 2019 for everyone to use.