Background to Cloud Security Alliance
Cloud Security Alliance is an organization that operates without a desire for profit and aims to equip other entities with the knowledge of how best to host a cloud system that is secure. The organization offers assistance and advice to a variety of entities, including government bodies, providers, and customers. The assistance provided comes in several forms such as cloud security research, security certification, educational information, and events and seminars.
Risk Management Advice
The Cloud Security Alliance has recently published risk management advice for business associates of healthcare entities that are considered HIPAA compliant. Titled ‘Third Party Vendor Risk Management in Healthcare’, the published advice portrays the security risks that third party healthcare vendors, or Healthcare Delivery Organizations (HDOs) face as they operate in the industry. Primarily, this information is becoming more relevant due to an increase in vendor’s that are being targeted by cyber actors. Vendors are used indirectly to access the sensitive information of HDOs working in association with them. This is a troublesome prospect within the healthcare industry as the development of digital data storage and healthcare devices is ongoing, and not near competition, making healthcare entities an applicable target to cyber actors. The guidelines were written through The Health Information Management Working Group, a working group that aims to navigate health information providers as they supply their associates with cloud solutions. The document offers risk management program tools that HDOs can refer to as they navigate through the healthcare industry. The guidance also includes information that aids the organizations in identifying any risks that they may have to combat as they work with third party vendors. With this, it is hoped that security faults will occur at a minimum frequency, and breaches of data will be few, with any breaches that do occur not being severe.
“Healthcare Delivery Organizations entrust the protection of their sensitive data, reputation, finances, and more to third-party vendors. Given the importance of this critical, sensitive data, combined with regulatory and compliance requirements, it is crucial to identify, assess, and reduce third-party cyber risks. These risks are even more prevalent in the healthcare industry due to the lack of automation and the proliferation of digital applications and medical devices used, time-consuming and costly vendor risk assessment procedures, and the lack of fully deployed critical vendor management controls. This paper offers a summary of third-party vendor risks in healthcare as well as suggested identification, detection, response, and mitigation strategies,” said Dr. James Angle, the paper’s lead author and co-chair of the Health Information Management Working Group.
