Critical steps to improve third-party risk management


Recent security incidents involving third-party software, including octa and log4junderscore the importance of healthcare organizations taking decisive steps to improve their vendor risk management programs, said Chris Frenz, associate vice president of IT security at Mount Sinai South Nassau Hospital in New York.

“One of the things we do in our Third Party Risk Management programs is that we are starting to integrate more SBOM [software bill of materials]-enter questions in our third-party provider risk assessment process,” says Frenz in an interview with the Information Security Media Group.

“That way, if something like an okta, Solar Winds or Kaseya appears, we’re hoping to get a little more insight into whether a particular vendor is using it [affected] product or not,” he says.

“That way we know which vendors to contact … and can better assess our risk if one of them could be compromised.”

ask questions

Vendors’ willingness to provide a software BOM for their products, including medical devices, varies from company to company, Frenz says. “The recent Log4J instance has really highlighted the value of ownership SBOMs for various devices and components in your environment. A lot of organizations are struggling with that,” he says.

Due to the inconsistency among vendors offering SBOMs for their products, healthcare facilities need to be proactive in their own third-party software review and medical equipmenthe says.

“Increasingly, we need to consider developing the equivalent of a software bill of materials—and asking vendors what types of products are commonly used in their environments, so when will the next Okta fracture occurs, we can go through our listings and check [which] Vendors to be concerned about as they use this product and may be impacted.”

In the interview (see audio link below the photo) Frenz also talks about:

  • The importance of vendors making software vulnerabilities more transparent;
  • patch management challenges;
  • Prepare for possible cyber incidents related to the Russia-Ukraine War.

Before joining Mount Sinai South Nassau, a 455-bed acute care hospital in Oceanside, New York, Frenz was CISO at Interfaith Medical Center in Brooklyn. He applied them zero trust Healthcare model and worked on medical device safety. He is also a co-author of the OWASP Secure Medical Device Deployment Standard and the OWASP Anti-Ransomware Guide.

Source link
#Critical #steps #improve #thirdparty #risk #management

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.