Third-party vendors should be more transparent and faster in communicating when they experience a breach or other security incident that affect clients’ data, said Anahi Santiago, CISO at ChristianaCare.
“Sometimes we find out about these incidents through our third-party monitoring systems or the Health Information Sharing and Analysis Center and not necessarily from the vendor,” she said in an interview with Information Security Media Group during the 2023 Healthcare Information Management and Systems Society Global Health Conference and Exhibition in Chicago.
The most concerning vendor incidents include ransomware and data exfiltration attacks – the same kinds of threats that are directly menacing covered entities, she said.
“These incidents are rampant not just across our industry, but across all industries,” adding to the challenges healthcare entities face, she said.
In the interview (see audio link below photo), Santiago also discusses:
- Tips for continuously monitoring vendors more effectively;
- How security risk considerations differ depending upon the type of vendor;
- How to address third-party software vulnerabilities.
Santiago has overall responsibility for the organization’s cybersecurity and assurance program. She is also a contributor and member of several local, state and federal cybersecurity organizations, including the Healthcare Sector Coordinating Council’s Cybersecurity Working Group, the Delaware Healthcare Cybersecurity Alliance and the Philadelphia’s Women and Cybersecurity group. Prior to ChristianaCare, Santiago spent over 10 years as the information security and privacy officer at Einstein Healthcare Network.