Horror Stories: Why Third-Party Vendor Risk Management is So Scary

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The last few years third-party vendor risk management (TPRM) has transitioned from being a relatively minor part of security and compliance programs for healthcare entities into a massive undertaking with potentially dire consequences if not managed properly. This is one of those topics that seems to really have CISOs shaking in their boots. 

What makes third party vendor risk so scary? Why are security leaders having nightmares? 

Join us for this episode of the CyberPHIx podcast where we hear from James Ballou, Chief Information Security Officer for North American Partners of Anesthesia. 

James shares insights from his extensive experience managing security teams and third-party risk management programs for leading healthcare organizations. 

Topics covered in this session include:  


  • What makes third-party vendor risk management so scary for healthcare cybersecurity and risk professionals? 
  • Regulatory requirements related to third-party vendor risk management including HIPAA and state laws 
  • OCR enforcement of third-party business associate compliance mandates 
  • Third-party vendor risk governance best practices and models 
  • The implications for vendors that acquire certifications including HITRUST, SOC 2, and ISO 
  • The limitations of questionnaire-based vendor assessment models 
  • Best practices for strategic and operational management of third-party vendor risk management programs in healthcare 
  • The future of third-party vendor risk management 


Brian Selfridge: [00:00:20] Hello. Welcome to The CyberPHIx your audio resource for cybersecurity, privacy, risk, and compliance for the healthcare industry. I'm your host, Brian Selfridge. In each episode, we bring you pertinent information from plot leaders and healthcare, cybersecurity, and risk roles. In this episode, we'll be speaking with James Ballou. James is the chief information security officer for North American Partners of Anesthesia or NAPA for short. Just in time for Halloween, I'll be speaking with James about one of the scariest topics for healthcare, CISOs, and security leaders, and that is third-party vendor risk management. Why is it so scary? Why are security leaders having nightmares? Well, I'm going to let James tell you all about that and hopefully tell you some ways to be a little less scared about it if we can. So let's dive into another great conversation with you and another amazing guest, James Ballou. 

Brian Selfridge: [00:01:17] Hello. Welcome to CyberPHIx, the leading podcast for cybersecurity risk and compliance, specifically for the healthcare industry. I'd like to welcome my guest, James Ballou. James is the chief information security officer for North American Partners of Anesthesia, otherwise known as NAPA. NAPA is a collaborative community of experts trusted by nearly 500 sites and growing to provide best-in-class, patient-centric anesthesia and pain management care. 

Brian Selfridge: [00:01:40] Headquartered out of Long Island, New York, with a footprint in over 20 states, James has spent the last 22 years serving 22 years or so, probably more than that. I think if I tally it all up correctly, serving in various roles from information systems, network engineering, E-commerce, HIPAA, security and privacy, and as the chief information security officer for organizations including Perot Systems, ACRI Health Inc., Driscoll Health System, Driscoll Children's Hospital and Erlanger Health System, all very big names there. I'm excited to be speaking to James today about what makes third-party vendor risks so scary for healthcare, cybersecurity, and compliance teams. We'll talk about breaches, and compliance exposures, of course, and discuss some ways to take the fear out of third-party risk and start getting some control over the situation as best we can. At least we have a lot to cover today. So let's dive into our interview with yet another amazing guest on the CyberPHIx James Balloon. James, welcome to the show. Thanks for joining us today. 

James Ballou: [00:02:35] Thank you, Brian. Appreciate it. 

Brian Selfridge: [00:02:37] So we talk about this being horror stories, right? It seems like the last few years, maybe last decade or so at third-party vendor risk management has seen a transition from I'll use the acronym TPRM. I'm sorry, that may come up. I'll do that subconsciously, but it seems like the whole third-party risk function was kind of this relatively minor part of security compliance programs years ago. And now it's transitioned into more of a massive undertaking with potential dire consequences if not managed properly. So it's really getting a lot more criticality, it would seem. It's one of those topics that seems to really have CISOs shaking in their their boots or whatever shoes they wear, wingtips or I'm not sure what CISOs wear anymore. I was one. I stopped wearing this a long time ago. Just sneakers for me. But what is it, James? Why is third-party vendor risk so scary for folks like us? 

James Ballou: [00:03:25] Oh, well, for starters, being in healthcare as long as I've been, I think it's scary because it's so new to healthcare in that there was a real lack of governance when it comes to, you know, review, an appropriate review, and governance regarding new technologies and arrangements as they on board. Historically, healthcare has been very, very, very porous when it comes to purchasing, and being decentralized. So you have these things coming in from all over the place. And when they're coming in from all over, across the enterprise, it's very difficult to wrangle them in and get them funneled into a governance process. And so I think that that is one of the things that makes it scary because they just historically have not had a good track record and a good process for doing that. The other thing I think that makes it scary is, you know, the depth and breadth and complexity of carrying out a thorough risk analysis when it comes to vendors because the solutions are becoming more complex themselves. You've got all these cloud-based arrangements where there are multiple parties involved and there are also vendors of these individual SaaS-based offerings and companies that, if not properly discovered embedded, introduces significant risk, especially if they're not in compliance or not aware of their compliance obligations. 

James Ballou: [00:04:54] But all of them, you know, need to be very thoroughly vetted and you need a well-coordinated team of knowledgeable staff to go through that discovery process, make sure that you're asking the right questions in order to properly assess that risk. But in addition to it, I think the other thing that makes it scary is the growing threat landscape. It's more sophisticated attacks, and so it's just the fear of the unknown and not knowing what you may be facing tomorrow. Because as these new attacks, you know, come forth and zero-day attacks, you learn more and more about, you know, what that threat looks like and what you need to be looking for. But a lot of times you don't find out until somebody has already fallen victim to it. So it's just generally scary because the threats are growing and getting more sophisticated very, very rapidly. 

Brian Selfridge: [00:05:47] Now. Is it just scary for us, the compliance team, and security teams that are behind the scenes, just seeing the risk, seeing the threats, seeing our perhaps varying degrees of adequate response to that and managing the risk? Or does that fear, quote-unquote, kind of extend out to other parts of the business, the C-suite, the boards? Are they as aware and worried about this? Do you think or is it just our teams that are on the front lines feeling the pain? 

James Ballou: [00:06:14] Well, I certainly think that CISOs and compliance have taken the brunt in the past few years, dealing with breaches, taking those lessons learned, and then trying to put in good governance that that really addresses the pitfalls and the mistakes that had been made before. But I do think that the C-suite is becoming more aware of the risk and the threats that are out there just by virtue of the number of press releases and news articles and things that are coming out talking about this company or that company getting breached and, you know, major fines and penalties or they played a major ransom. But, you know, I saw this, gosh, starting in 2017, you know, the big wave of, you know, attacks that came across healthcare. And, you know, it just kept growing and growing and growing. But, you know, with that, yes, the C-suite is becoming more aware, but so is the board. I think the board is becoming more aware of their responsibilities for making sure that there are adequate risk management and risk analysis processes and putting in secure safeguards so that they can reduce and minimize the risk to the company and the bottom line. But I think it's really helped drive the C-suite to become more evolved and more aware because they're putting downward pressure by asking the right questions as a board and saying, Do you have this in place? Do you have that in place? We want to see you giving routine reports on monitoring the risk. And we want to know routinely what our risk posture is. And so I think that's put a lot of artificial pressure, downward pressure on the C-suite to become more aware. And so with that, they are becoming more worried as they go because they're just now starting to discover what we as CISOs and compliance have known all along. And so. That's what I see at least currently within healthcare as a whole.

Brian Selfridge: [00:08:28] You want to talk about the regulatory angle of this a little bit? Because clearly, the breach-associated risks are becoming more evident, as you said, with the board and with us. We're seeing those threats. But what about some of the regulatory expectations? Is there any fear of. We always used to joke the HIPAA police, you know, OCR and others coming in to crack the hammer on third-party risk. Maybe we could start with just what maybe what are some of the federal, and state global regulations that maybe take in third-party risk in some way, shape, or fashion that might affect healthcare organizations just to make sure we're leveling the playing field for the listeners here. What would what are we up against regulatory-wise? 

James Ballou: [00:09:08] Well, certainly there's HIPAA, and HIPAA has been around for a long time. And I think HIPAA did a good job of conveying the expectation that you have a risk management program that looks to reduce the risk of, you know and make sure that you have appropriate confidentiality, integrity, and availability across the patient information that we're required to protect. And I just don't think it was well understood exactly what OCR meant and was requiring. And so a lot of organizations have learned by virtue of falling victim to a program that when they did get hit with a breach, came under OKRs Oversight. And, you know, they found out that they were really lacking in that department. And most of the fines and penalties that you see out there, you know, being assessed is because there's been a real. Um, facet of negligence in that area of HIPAA where they just weren't aware and did not have a good program in place to both analyze and catalog the risk and then determine what risks need to be mitigated. But the one thing that I see in the regulatory space is you're starting to see these state regulatory bills and whatnot coming apart, coming out with privacy legislation across various states. I think in Colorado, SB 190, you know, Proposition 24 in California that are also now introducing, you know, the need for risk assessments to make sure that companies and organizations are properly aware and handling the risk just by virtue of the number of breaches out there. You would begin to think that it's not being handled as well as it could be. 

James Ballou: [00:11:08] But some of that is also because of the increased threat landscape and, you know, we're as my former boss used to call it, he says it's a constant arms race with these attackers and we're constantly just trying to keep up. And the one thing about cybersecurity and these threats is these threat actors only have to get it right once. We've got to get it right all the time in order to fend off these attacks. And so the regulatory aspect of it, it makes it a little bit scarier for organizations because it introduces new potential for fines and penalties, introduces also some potential for class action lawsuits and things like that whenever things don't go right and there's a major breach. So it increases the impact on the organization from a financial aspect, but also from the aspect of continual monitoring and things like that. With OCR, when you go under a CEA, you know, with the OCR, then they've got a monitor that sits in there and is looking at your program constantly to make sure that you're keeping up for a period of time before they release you from that corporate integrity agreement. So those are all pretty scary things. But, you know, I think the legislation is going to continue to grow. There's going to be more regulations similar to GDPR in Europe with regard to rights and responsibilities that each organization needs to be aware of and make sure that they comply with. 

Brian Selfridge: [00:12:40] Yeah. I'm glad you mentioned the States. They're putting out some good stuff. I also noticed the federal folks are starting to put out bills that include a lot of third-party risk content in them, some of the more forward-thinking legislators in the country. What's nice is it's a bipartisan issue, which I'm not sure we can count as many, many of them, on one hand, these days, but this is one that everybody seems to be getting behind. Well, let's talk about HIPAA a little bit more, if we can. What specifically? The HIPAA security rule has a lot of different pieces to it, and some of our audience will be intimately familiar with it. Others may not. What parts of the HIPA security rule are applicable here for the third-party risk component? 

James Ballou: [00:13:21] Well, certainly the risk management program is an important aspect of it. So generally you just need to have a good program for monitoring, cataloging, and communicating risk within the organization and identifying which risks need to be mitigated and how to do that. But also, you know, the annual risk analysis requirement is there's a requirement under HIPAA to perform an annual risk analysis. And that risk analysis is laid out in 164308. And so that's where you have to conduct an accurate, thorough assessment of all the potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI. So, you know, for you to even get to that level, you've got to catalog and know where all of your PHI is and how it's being processed and where it's being stored and transmitted. And so there are other aspects of HIPA that come into play here, like the need for having a good inventory of all of your protected health information and knowing where it's at so that you can perform a risk analysis. And so another part of that is, you know, having, you know, a good sanctions policy and an information systems activity review that continually has you monitoring for any suspect or other, you know, things that may maybe go wrong so that you've got good monitoring in place. 

James Ballou: [00:14:48] But having a sanctions policy is an important part of it, too, because once you've got that arrangement and you have somebody that fails to identify the risk and then gets hit with a breach, is you've got some means of responding to that by making sure that you hold their feet to the fire and you can help bring them into compliance or sever that relationship with them. But, you know, there's all those pieces all come together to kind of help regulate the overall risk posture of the organization. But there's never really been a lot of detail in spelling out how third parties and how those relationships need to be monitored as well. And I think it's one of those things that initially we didn't have a lot of arrangements when I first started in it, you know, when it came to it, it was pretty much everything was in our data center and we very rarely ever sent data out to a third party where they processed it, stored it, you know, and it was transmitted, you know, to varying aspects. And so we didn't really have this need for third-party governance like we do today. 

James Ballou: [00:15:56] Today, we're seeing this huge transition with a digital transformation of, you know, people leaving, you know, their data centers and go into third party, SAS, you know, providers and other arrangements. And so there's a real need for making sure that you've got a really good review process because as we talk about SAS providers and the whole marketing of these solutions everybody wants to be first to market and everybody wants to get it up off the ground quick. They want to get it out the door and get it going first and then secure it later on. And that's just not a reasonable expectation when it comes to HIPAA, you need to make sure it's right straight out of the gate. So you need a process to review those solutions and make sure they were meeting all their compliance obligations and they're helping you meet all of yours as well. And so that's where that risk analysis process really helps to make sure that you've identified all the gaps in those solutions, and then you can make an informed decision, even if there is a gap as to whether to proceed with some mitigating controls or whether to abandon that particular endeavor and find something that that can meet your compliance obligations. 

Brian Selfridge: [00:17:10] Yeah, I'd want to reinforce the word you mentioned comprehensive in that part of the HIPA security requirement, comprehensive risk analysis. I think a lot of organizations are still missing that. The point is that you can't just assess your top ten applications or your electronic health record or your key system and say that's a risk assessment or risk analysis you've got to look at everywhere he goes and lives in third party is the name of the game, as you mentioned. Now it's all sort of shifted off. We always joked out of the basement of the hospital and now into the clouds. But do you think healthcare organizations, are looking at third-party risk today, in terms of the drivers for building out a program and a team and putting investment behind this? Are they looking at this as as a compliance issue or more of a breach-driven issue? Or is it a little bit of both? Where are you seeing kind of the dollars kind of coming behind, building a prime program out? 

James Ballou: [00:18:03] You know, I, I think it varies from organization to organization as to how they're looking at it. Certainly, most of them are looking at it because it's mostly been compliance driven from the privacy office and from the CSO to make sure that we're meeting all of our compliance obligations. But more and more, it's being looked at as a risk enterprise risk issue because it's no longer just about, you know, ensuring compliance is about ensuring continued operations. And we've had so many of these attacks that have been successful and have had such a dire impact on operations and the bottom line of the organization, I think they're being forced to look at it as an enterprise risk issue. 

Brian Selfridge: [00:18:44] So how is OCR responded to this shift from your perspective? I mean, they have been enforcing the HIPAA security rule for coming up on 20 years or something. I'm losing track of it. This may be in 2006, not quite that much, but is this a focus area for OCR? Are you seeing that being the type of thing that gets looped in and lumped into resolution agreements or civil monetary penalties or is this still kind of a back seat kind of issue from their perspective, from what you've seen? 

James Ballou: [00:19:13] Well, I certainly think OCR understands this whole transformation and the growth of third-party arrangements in third parties. And so I think they are getting a better handle on it. You know, each breach, you know, gives them new opportunity as they discover these complex arrangements and whatnot. And they are certainly on board with ensuring that business associate agreements and those types of things are holding these third parties accountable, and they are holding these third parties responsible and accountable when it comes to corrective actions and even fines and penalties. I have not seen very many that I can see, at least thus far, that have been fined as a third party when it comes to OCR's reach. But I think that that's just going to be coming down the pipeline, so to speak, just by virtue of the growth in these industries and organizations. But it's so important for the organization, our organizations, to make sure that we have appropriate agreements and arrangements to make sure that we can not just when we initially review and purchase a SAS based, you know, solution, but where we can continually monitor their compliance and make sure that you have a regular review cycle. And that to me is a real challenge. It's challenging enough in an organization, larger organization, just to handle the bandwidth and the tempo of these solutions and these arrangements coming at you so that you can review them. 

James Ballou: [00:20:54] But to continue to review them and make sure that they stay compliant is another challenge in itself. And I think those things will start to kind of show their face a little bit more and more with OCR as more of these breaches happen and these third parties get caught up in the investigation and then OCR determining what path that they need to take to ensure that future risk to PHI is, you know, being properly handled in the investigation. And fines and penalties typically are only assessed whenever there's severe negligence or, you know, involved. But that doesn't stop them from putting in some other, you know, things like corporate integrity agreements where they come in and they continue to monitor and if they find other non-compliance issues, that they could then turn around and assess fines and penalties. So hopefully that answered your question. I know it was kind of a roundabout on it, but you know, I certainly think that we're going to see OCR getting more and more involved with identifying third parties that are responsible for a breach. 

Brian Selfridge: [00:22:04] Yeah. I've been involved in several of those multiyear OCR follow-up agreements. I think that's a misunderstanding that a lot of folks have. They think OCR comes in, there's investigation, there's a fine first off, that takes years sometimes. But then also they stick around and they're monitoring. And a lot of times the investment and the pain, so to speak, is not even just the initial breach events that bring OCR calling or the investigation or the settlement or fine. It's the multi-years afterwards when you actually now have to invest in all the things you were supposed to be doing before. So I think I'm glad you brought that up because I think a lot of folks don't quite understand how extensive that process is. Now, I think if there are any listeners here that weren't scared about third-party risk before we start, I think we've sufficiently scared them. They're worried about it in whatever capacity they're in. But let's talk about our job here is not just fear, uncertainty and doubt, although there's always a piece of that in our line of work. Let's talk about some ways we might be able to tackle some of this, maybe, if not in its entirety, but sort of reduce the risk. I know you've done a ton of great work and presentations on governance of TPRM programs and third-party risk. Maybe we can kind of talk through some of that of how we begin to chip away at this perhaps first starting with who are some of the if we turn our eye from outward OCR and breaches and inward to our own programs who are the some of the stakeholders we need to get at the table and get and get engaged in our third-party risk programs if we're looking to mature them. 

James Ballou: [00:23:33] You know, in my experience, certainly the C-suite needs to be engaged. And that's a difficult endeavor because, you know, there are so many things that are, you know, at the forefront of their minds, you know, run in the organization. But as they become more aware of it from an enterprise risk perspective, they need to be involved because even their little pet projects, you know, tend to sometimes do an end around governance. They've got something that they want to get done. They want to get it done quickly as possible. And unfortunately, what a lot of the C-suite traditionally have looked at is even some of these governance programs around ensuring appropriate risk analysis and identification of risk have just been putting a purposeful slowdown in place. And they're not able to get things done in the timeframe that they initially want to. But I just think it's really imperative that we work with the C-suite to make sure that they understand, hey if you have projects or things that need to get done, we need to get this in the pipeline much sooner. And we'll need your help because it's not just about the C-suite. It's also about reining in all of the various entry points for these projects, in these purchase agreements and arrangements to make sure that they're funneling it over to the appropriate governing process. So with that, you want to certainly make sure that you partner with your chief compliance officer or your chief privacy officer. 

James Ballou: [00:25:07] And a lot of times I found myself partnering even with our internal audit team, so that we can continually audit some of these arrangements and things to make sure that they're following not just policies and procedures internally within the organization, but they're truly looking at the depth and complexity of all the requirements to make sure that the system and or arrangement complies with all of our regulatory obligations. And so I know at Erlanger Health System, you know, I immediately engaged the project management office because it was a great opportunity for us to funnel all of these projects toward the PMO, get them introduced, at least in terms of discovery, because the PMO usually does an initial discovery of every project to find out if it's something that needs to be managed by a project manager, or if it's a small enough project that the department or the technical team can manage on their own. But it's such a great entry point to be able to leverage, to be able to say, we need you to complete this questionnaire, we need you to get this information on discovery before we look to even purchase or implement. We want to get started very early in the process and understand what we're looking to buy. And so that was a real advantage getting the PMO involved, but also getting your supply chain department and your Biomed department as a hospital system in your lab because they're almost always rather independent of the IT department and their purchasing power and they're able to buy medical devices and things like that that eventually need to be integrated either with their medical record systems or other systems. 

James Ballou: [00:26:58] And just by virtue of being on the network could introduce, you know, a lot of risk to the environment if they're not being managed and monitored and set up properly or are segregated from the rest of the environment. So all of those, you know, C levels. Types need to be involved. But, you know, also your departments, you need to meet with your department heads and make sure that they understand what the process is for purchasing and why it's important to get involved in that early on and let us know what their goals and objectives are if they have it related things that they're looking to purchase to get injected into that process early on so that we can make sure to not just vet the regulatory compliance aspects of the project, but we want to help you make that project succeed. We want to make sure the project has the appropriate budget. We want to understand all of the storage requirements and all the networking requirements and everything to make sure that we've identified everything that is needed for the project to succeed. So it's not just about the compliance and the governance aspect of it, it's about making sure that the project has sufficient backing. It meets with the organization's strategic initiatives and plans and overall is going to be successful given that everything has been identified that it needs to comply with. 

Brian Selfridge: [00:28:18] So how do you operationalize that, that governance model? You got all those different people to get in the mix. I love the idea of having PMO at the front end. That's brilliant. We don't see that a lot. And I think hopefully our listeners can, can take that away as a, as an actionable thing. But what is the, what is a gold standard kind of governance structure look like? What's the process from identifying the vendor to vetting them to then making some actionable decision on whether or not you're going to work with them or mitigate the risk? How does that tend to flow? I know it's different everywhere, but if you had to see sort of a gold standard model, what might that look like? 

James Ballou: [00:28:53] Yeah, it's going to vary and I don't think any organization is going to be exactly identical. But, you know, based on the size of the organization, based on, you know, the various groups and committees and things like that that have oversight. But typically you will see, you know, an IT steering committee, for instance, security and compliance as a committee. And of course, you typically have an internal audit team, you know, or audit committee that is looking at risk from an internal audit perspective that, you know, tied in reporting to the board. But typically you also see an executive steering committee. And so I know how we set it up at Erlanger Health System is we initially did discovery and fielding all the questionnaires and all the gathering of all the information and then getting that to the appropriate reviewers to at least initially review it from a discovery standpoint to make sure that all the I's are dotted and the T's are crossed. But then it would go on to an internal, you know, i.t committee that would review it before it even got to the steering committee. And then our PMO would actually represent the stakeholders for the project and would have to show up to the IT Steer committee and represent their project. And so with them at that committee meeting is an overall review of the complete project, including the risk. And so my team as the CISO, would identify the risk, we would then provide a recommendation to the committee and they would take that under consideration as to whether to move forward with the project, with the identified risk level, with or without mitigations or additional mitigations or rather to abandon the project. 

James Ballou: [00:30:41] But even then at Erlanger, a lot of these before they were approved, especially those over a certain dollar amount, would then have to go on to the executive steering committee. And I think the executive steering committee then can really take a look at it from an overall process to make sure that it meets with the strategic initiatives of the hospital that we're not taking on and consuming too much risk without appropriate mitigations. And that's where that VP or Senior VP's decision in it, steer or whatnot, comes under fire or they've got to defend it in front of the executive steering committee is say, here's why it's worth the risk. You know, the benefit outweighs the risk, but we feel like the risk is low and we've mitigated it with appropriate safeguards controls. And here's how we did that. And so if you have that governance and process in place where it goes through several, several stages of review, I think that is what makes it more successful. But you'd have to start somewhere with that initial discovery and discovery within the PMO. Sometimes. Even then they've got to work with the CIO, the CSO, the CTO, and all those folks to get the appropriate reviewers before it even gets into the pipeline for final review to make sure that we've got everything captured that we need to capture. 

Brian Selfridge: [00:32:03] You mentioned medical devices as sort of requiring getting those teams involved. I won't go deep dive into that, but is each vendor the same? Is every vendor created equal or when we look at these on. Prem vendors versus software as a service versus platform is service hybrid cloud, different instantiation of vendor types like medical devices is there. Our vendors are all treated the same from an assessment perspective and a reporting perspective. Or do you see any sort of variance in the way in which we audit a med device vendor versus, an on-prem EHR or something? 

James Ballou: [00:32:39] In terms of the governance process, we don't treat them differently. At the onset, in the discovery process, we asked all of the same questions. We asked a lot of guiding questions about, you know, what type of solution is this? Is it on prem solution? Is it a medical device? Is it a and so it's a lot of those questions that we're asking in the initial intake and discovery process that then guide us to then ask other questions and go a little bit deeper as we go through the collection and the assessment of risk? And so I think it's important to make sure on your discovery to have all the appropriate questions, to be able to flesh out and vet that out. Because one of the things that we've discovered through our lessons learned is sometimes you start out with what you think is just a single SaaS provider. Then you find out they have some really complex arrangements with other parties and other cloud-based technologies and vendors themselves, and those things need to be fleshed out. And so if you don't ask the right questions, those complex arrangements may not be uncovered. And that's where a large part of the risk may lay. And I think I have talked to other compliance departments and other CIOs, CTOs, where they've had a breach with a third party. And that's usually where it happens, where they've got some unregulated, unknown arrangement with another third party, you know, that's tied to a SAS provider or something that has, you know, caused a breach. But it really creates that nightmare scenario that we kind of talked about that has these horror stories that everybody likes to tell but nobody wants to live through because it's such a painful thing to experience. And it's rather discouraging as well because you just you didn't know it until you got the notice and the letter or the phone call from that third party that they've been breached. 

Brian Selfridge: [00:34:35] So I want to pick your brain a little bit on sort of the vendor side of this and particularly around security certifications and the degree in which they may help drive some value in that whole third-party vendor risk audit process. So just I guess just a generic set of questions around that. Do you think healthcare organizations should require certifications from vendors? And which are some of the better ones? Is it SOC 2's or HITRUST or ISOs or you know, what do you recommend there? 

James Ballou: [00:35:04] I think the SOC 2 tight to AICPA SOC 2 type two is a good certification for vendors to have as well as HITRUST. I think HITRUST is a lot deeper and wider than SOC 2 Type II. But one of the things I like to remind our audience about is just because someone is SOC 2 Type II and HITRUST certified doesn't mean that there's unmitigated risk. Every one of these organizations that come through the certification process can get certified as long as they don't have too many corrective action plans that are necessary. They meet enough of the controls to get through the gate, but they have to have a corrective action plan and they've got to have a timeline on that corrective action plan. So it's not to say that all the risks have been mitigated just because they're SOC 2 Type II or HITRUST certified. But it does significantly benefit the organization to have somebody that SOC 2 Type II or HITRUST for one, mainly from the standpoint that these organizations that have this HITRUST certification for one just have their ducks in a row more so than organizations that when you say SOC 2 Type II, they don't even know what it means. They haven't gone through any kind of third-party review or third-party certification process. And often what we will find is like with the sass provider is we'll ask them if they're SOC 2 certified or HITRUST certified and they'll say, yes we are and we'll say we'll produce your HITRUST letter or your SOC 2 Type II certification letter. And they provide us Google or Azure, you know, or a s SOC 2 Type II or HITRUST. 

James Ballou: [00:36:52] And I said, no, that's not your SaaS environment. Your SaaS environment is not inclusive of that review. It's not in scope for the review that was done for AWS or Azure or Google. And so as a SaaS provider, you need to have your own separate SOC 2 Type II or HITRUST. And so what I have found though is a lot of times you'll find that because they're trying to get to market quickly, they're in the window, they're in the process of being reviewed, but they're not quite done yet. And so the question is, what do you do with that? And really what is required of the organization is to determine whether or not they need to defer the arrangement until they complete that assessment or do it more deep dive, more intensive assessment. And I think that's probably a great opportunity where these organizations like CORL come in, where you can outsource that deep dive with a third party, and it not be as intensive on the resources within your organization to try to do a thorough vetting of that solution. And so they do go through a pretty in-depth review of all the safeguards and controls and everything that should be there to at least try to flesh out and identify risk that may need to be mitigated or at least communicated and used in the process of making a decision as to whether to continue with that vendor or find another vendor, that that better meets the safeguard controls that are needed for regulatory compliance. 

Brian Selfridge: [00:38:29] I think you bring up some great points. I know our organization is an assessor organization. It does HITRUST and SOC 2's. And I, I can tell you the vendors that tell you that they're in the process and they're on the journey and on the path, that's great to hear. But on the aggregate, they tend to really not have a lot of the controls in place until the last sprint. The certification, when they really get their policies and procedures nailed down, implement the stuff they have to. And so that's not everybody. So I'm going to get angry letters after this, but I think it's definitely worth noting that if they haven't quite gotten the certification yet, there's definitely sprinting hard to get there and that's a good sign. But it also means there's some near-term exposure potentially. 


James Ballou: [00:39:09] And I think that's a great follow up question. You know, even when you do have someone sort to tight to or certified, you know, what's on your corrective action plan, what risk have you identified that haven't been mitigated? And what controls are missing or that you weren't able to meet the control requirements for to to get that certification? So those are all important questions. And sometimes you'll find third parties that are willing to share that information. Sometimes you won't. But those are all things that are really, really important. And I would go one step further is they need to understand, too, is as a third party, especially if if they fall into that category, you know, of a business associate, that they have to perform their own HIPA security risk analysis annually as well and update a risk analysis. And so you need to be looking for evidence that they have met that requirement as well by asking if they could at least give you a letter of certification that they have. Leader of security risk analysis themselves. 

Brian Selfridge: [00:40:06] So I know we're going to run short on time here, which is always the worst part of the sessions because I have a million more questions for you, but I'm going to throw you that. I saved the trickiest one for you for the end. So that's that. Hopefully, we'll not throw you too much for a loop, but I want to talk about questionnaires a little bit just in the amount of effort and volume of time it takes people to get through, issuing a questionnaire, reviewing those responses, validating those responses, going through corrective action, remediation, all this stuff you have to do with the vendors. Do you think questionnaires are going to be the way that we do this forever? Are they sustainable in terms of the volume of vendors we have to deal with? Or is there do we need to look to security certifications or some other vehicle to help us out? I just would look to you to opine on that. I know it's not you know, we're doing questionnaires for the near future, whether we like it or not. But what do you think? 

James Ballou: [00:40:57] I will tell you that just from the volume of questionnaires that not just that I have to complete just for our arrangements, but then the ones that we have to complete with the some of the partners that we work with that it is not sustainable. I do think there needs to be, you know, some type of a gold standard or at least some way of getting that force multiplier where you answer the questions once, you know, over a certain tempo, and then that information is just shared. And when you want to connect with another vendor or provider or something to where they can, you know, kind of see what your profile looks like as a company. And so I like where CORL is gone with some of these questionnaires and standardizing them. And the best part is, you know, you can kind of get that force multiplier if you've answered the question, you know, within a reasonable period of time that they can just reshare that same information. You know, then I think that becomes more sustainable and more of a value for the organization to go through the exercise similar to the stock to type to in HITRUST. 

James Ballou: [00:42:06] You know, those, those give us confidence in those vendors that they at least have an appropriate program in place that meets their regulatory, you know, minimums. But, you know, I think long term, we do need a better way of. Better way forward than questioners themselves. It's just that there's a lot of questionnaires flying around. There's different scales and different complexities of the questionnaires. And I'll be honest with you, some of them probably, you know, don't ask the right questions depending on the scenario in the situation. And some of them, you know, were completely irrelevant as a questionnaire for the type of arrangement that is being engaged with, you know, as a third party. So it's a little bit clergy right now, and we're still kind of fleshing that out. And we're starting to see more and more questionnaires coming about. And I think as these questionnaires morph and whatnot is going to become less sustainable going forward. 

Brian Selfridge: [00:43:10] Well, I really appreciate the perspective. I know that lines up well with the way we look at it here at CORL as well. We're in terms of sustainability and we've got a lot of really cool tech and stuff coming down the line, new models. So we'll release those in due course. But really appreciate you sharing those insights on everything here. We covered a lot of ground. We e figured out the regulations. We figured out the process. And James, thank you so much for taking the time to do this with us. It's really been such a great conversation. I'm sure many, many folks will benefit from it. 

James Ballou: [00:43:39] Thank you, Brian. I really appreciate the opportunity and look forward to doing it again sometime. 

Brian Selfridge: [00:44:00] Again, I would like to thank my guest, James Ballou, who is the Chief Information Security Officer for North American Partners of Anesthesia. I really appreciated James' recommendations for ways to make third-party risk management a little less scary for healthcare security teams and get some great insights into regulations, standards, certifications, and overall best practices for navigating the murky waters of third-party vendor risk. Very insightful discussion all around for sure. As always, we'd like to have your feedback and hear from you, our listeners. Feel free to drop us a note about any topic you'd like to hear about or a thought leader you'd like to hear from. Our email address is [email protected]. Thanks again for joining us for this episode of The CyberPHIx. We look forward to having you join us for another session coming up soon.