This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong

UnHack (the Podcast): Bolstering Third-Party Risk Defences with Vish Gadgil

Learn more at fortifiedhealthsecurity. com

Introduction

Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.

Drex DeFord: Hey everyone. Welcome to Unhack the Podcast. I'm your host, Drex DeFord, and today we're going to dig into some of the free and incredibly useful stuff that's produced by the Health Sector Coordinating Council Cybersecurity Working Group, or as we affectionately call it, the CWG.

Thanks for tuning in. I'm your host, Drex. I'll see you next time. The CWGs composed of 450 industry and government organizations that work together to develop strategies to address cybersecurity challenges in the healthcare sector. And one of the many things that CWG does as part of that effort through the creation of task groups is that they develop these free resources that are focused on cybersecurity best practices.

And joining me for the discussion today is Vish. Hey Vish, I'm really glad you're on the show.

Vish Gadgil: Hey Drex, thanks for inviting me helping us promote the excellent publications that we have from HSCC that are free for everybody.

Drex DeFord: Yeah, they're free for everyone, which is amazing. So let me start, introduce yourself, tell me a little bit about your background.

I know you have a disclaimer that you have to punch in there too,

Vish Gadgil: yes,

Drex DeFord: so

Vish Gadgil: my name is Vish Gadgil. I work for Merck Company. However, I am not, and I have to repeat this, I am not representing my employer today. So I'm only representing HSCC's Supply Chain Risk Management subgroup because I'm a co chair on that.

Drex DeFord: has it's been the perfect storm to show why we should be paying attention to this, right?

Vish Gadgil: Yes, absolutely. And it's not just this year. Every year it has been, an increase in third party cyber security incidents.

Drex DeFord: So how did you get involved with Health Sector Coordinating Council at CWG? How'd that come about? So

Vish Gadgil: My mentor and my boss, Terry Rice, used to be the, they call it co chair, I believe, of the CWG from the private sector perspective.

Drex DeFord: Once

Vish Gadgil: you got in, they

Drex DeFord: couldn't,

Vish Gadgil: you couldn't get out.

It's yeah, it's just amazing piece of work that we are doing. It's free for everybody. We are, the ultimate goal is patient safety, right? Cybersecurity, cyber safety is patient safety. And at the end of the day, we want to make sure we are all providing that safety to our patients.

Drex DeFord: Yeah, I'll tell you the other thing too is that I've read all of the documents before but in the preparation for the five shows that I'm doing this year, or this month in Unhack the Podcast, I've gone back through them again and I'm just like really blown away by how good the material is and how cool it is to be able to sit in the CWG with folks like you and hear experts talk about the challenges and the work that's going on to make this stuff better.

But tell us more about what's in there. Sure. So

Vish Gadgil: HICSCREAM, that's the short form of that publication. It's funny that, when we started with that naming, it is basically a full form of that document is Health Industry, Cyber Security, Supply Chain Risk Management, and the short form became HICSCREAM, and it Feels like, oh, we are all screaming about it, right?

But it was funny. But it also is a reflection of a loud cry for help from our small and medium sized organizations in the health sector, it's basically a part of the broader effort by HSEC. But at the end of the day, we wanted to make sure that we have provided not just theoretical or academic guidance, but we are providing a clear Toolkit that the small and medium sized organizations can use,

So this is about doing. Third party risk management, not software supply chain management.

Drex DeFord: I love that it's small and mid sized healthcare organizations too, that focus and that energy that clearly comes through in the document.

Vish Gadgil: Yeah, there was a reason for that. So when we started thinking about how we can elevate the supply chain risk management practices across the entire health sector we always take this entire health sector approach.

So we realized that it's quite likely that the large organizations in our sector probably have a good Third party risk management program, but we are all part of a bigger ecosystem, right? And no one organization is immune to attacks on the overall ecosystem. A recent example being Change Healthcare, right?

So that's why the focus, and with that background, we designed this HickScreen document for that purpose. Kind of audience. But again the guide can also be useful as you mentioned for the larger organizations as well. It's really focused right now on small and medium, but large organization can probably learn a little bit out of it.

You

Drex DeFord: talk a lot about risk in the document and finding risk and understanding risk. You want to talk more about that? Sure.

Vish Gadgil: So as I mentioned, this document is really providing you practical tools, right? And it's not just a theoretical guidance. And we made sure that we wanted to see what framework we could use.

Not just, responding to something that you hear on a day to day basis. We wanted to make sure it is aligned to the CSF and CSF has really good five principles for those who are. I'm assuming our audience really knows what CSF is. So there are sections for in the identity area called id.

sc125, So SC1 is about establishing the risk management function. SC2 is about doing the risk assessment. SC3 is about how do you manage contracts. SC4 is about ensuring compliance on an ongoing basis. And SC5 is about response and recovery activities, right? The document essentially has those sections.

And it also provides toolkit. Now, granted, we don't have anything fancy. It's really an Excel spreadsheet, but it provides specific guidance. And again The audience is small and medium organizations, right? So it provides you guidance on how to do that inventory or categorizing suppliers, So it's very important that, if your company deals with hundreds of suppliers, you cannot do the risk management for each one of them. So you have to do the tiering of suppliers. Who are the top suppliers that we need to manage risk? So that's the risk tiering. So we talk about that part.

Then it talks about risk treatment and mitigation activities, right? So it talks about. Aspects such as, hey what kind of risk acceptance processes you have, or how you deal with insurance should you have insurance, in terms of how do you expect the suppliers to ensure that they are patching the stuff?

Can you do your audits with the suppliers? Stuff like that, right?

Drex DeFord: Yeah. Yeah.

And again, the idea was the overall health sector needs to up their game, so there's nothing fancy or very crazy in terms of security requirements in the contracts. It's really about. Looking at the overall ecosystem approach and, upping the game. Then it talks about overall due diligence and monitoring.

How do you do as the cybersecurity risks evolve, as Drex, like we have to evolve as well, right? So how do you do continuous monitoring if possible for you? Making sure how are how your suppliers are patching the vulnerabilities, especially if you have direct connectivity with them.

So all of that is explained along with a bunch of templates. Like, how do you do risk assessments? What kind of contract language you have? Stuff like that. So the

Drex DeFord: template stuff is amazing in here. For the small places love the way that you've structured this because for the small places, for many of the medium sized places, those CISOs.

Sometimes they don't even have a CISO. They have somebody who's in been designated as the security person. They're probably doing four other things too. So to have something like this where they can actually just get the document. It's 40. Six pages or it's, 60 pages worth of stuff.

Go through and look at it and really just have like here, it's almost like you spoon feed it in a lot of ways. And like you said, these aren't really complicated templates. They're really easy to understand. The way the document's written is really easy to understand. And it's really incredibly useful.

Vish Gadgil: amazing in here. No, thank you. Thank you for that. And that was our intent, right? We wanted to make sure that a small organization, just like you described, right? A CISO, who is also probably, their firewall administrator is also their IT guy, who knows, right? That person shouldn't have to think too much.

They can take that template. And maybe tweak it a little bit here and there, but in general, there should not be a problem. For example, the contract template that we produced we intentionally left it at a fairly basic level so that This CISO, who's also doing three different things, doesn't have to sit there and go through a whole bunch of redlining and negotiations with the third parties, right?

And then the second one comes and says, I have the same function, but I provide you identity federation. I'm going with the second guy because they know security. That's what they're indicating, right? So cyber security is becoming a differentiator in terms of the service offering and the product offering.

So that's what we are trying to highlight that, upping the game in terms of cybersecurity is a good thing to do.

Drex DeFord: And ultimately this is a team sport between third parties, between, the end users, the IT team of this sort of happens in isolation. Exactly. I really appreciate you being on the show today.

Thanks for telling us all about this and all the stuff is available for free. One of the things we'll do is when the show is published, we'll make sure we put a link to Health Sector Coordinating Council, CWG, and this document in particular in the comments, thanks for being on the show today, Vish.