I think I want to stay in bed…Have you ever had one of those weeks when everything went wrong all week and every day was a Monday? The week of May 13th was one of those weeks for IT and cybersecurity. As I was reading throughout the week, I found articles about:
- Microsoft issuing patches for RDP for Windows 7 (which has gotten long in the tooth), and for expired legacy OSes like XP and Server 2003/2008!
- Cisco’s hardware security vulnerability, Thrangrycat, found in many of their enterprise network switches allowing the possibility of becoming compromised.
- Facebook’s WhatsApp with a buffer overflow flaw requiring a security patch.
- Intel and their chip vulnerability – ZombieLoad – that allow hackers to receive private data from a processor’s buffers.
All this concerning news is a reminder that the war on cyber attacks takes a village. Hardware vulnerabilities is not something most of us can address, and truthfully, software coding for security patches are not in our realm of expertise; however, we do have responsibilities that are ours alone.
Why is Microsoft still concerned with Windows XP and Server 2003 and 2008? Because there are systems still using these outdated and unprotected OSs. Many are found in healthcare! Several years back, I remember being horrified at learning a medical device manufacturer in my hospital was using Windows 2000!
There is a new paradigm for healthcare systems that is saying to vendors; you will be responsible for the security of your medical device equipment and you must follow our organizational security policies, and you will be accountable for the devices you place on a network, and you will be responsible for following organizational remote access policies.
Here are a few tips for how you can manage the risks associated with doing business with vendors:
- Take time with the contract and associated agreements. Never sign off unless you are 100% comfortable and your compliance and legal team agree as well.
- Research the vendor. Know them as if you are investing your personal money with them. Ask:
- How long have they been in business?
- What are other customers saying?
- What is their track record?
- How do they rank with competitors in their domain?
- Have they ever had a breach violation?
- Use a vendor risk management solution that provides tools like surveys or questionnaires to determine a risk score for each vendor. These scores are helpful to rank what vendor has the biggest risk factors in your organization.
- If access to data, especially ePHI, is part of their work, tie remote access privileges in with the vendor risk solution.
Remember, as a healthcare system or single hospital, or private practice; you are always responsible for protecting your data.
If you want to learn more about how to manage vendors and their remote employee access, I would be happy to meet with you. Click here to request a meeting.
If you're attending the MUSE 2019 Inspire Conference, come by booth #709 and let's talk about your cybersecurity challenges!