Download PDF version Contact company

Managing IT and data risk is a challenging job. When we outsource our IT, applications and data processing to third-parties more and more every day, managing that risk becomes almost impossible. No longer are our data and systems contained within an infrastructure that we have full control over. We now give vendors our data, and allow them to conduct operations on our behalf. 

The problem is, we don’t control their infrastructure, and we can never fully look under the hood to understand and vet their ability to protect our data and operations. We have to fully understand how important this issue is, and ensure we have the right governance, processes and teams to identify and mitigate any risks found in our vendors. No longer are our data and systems contained within an infrastructure that we have full control over

Today, everything is connected. Our own networks have Internet of Things (IoT) devices.  We have VPN connections coming in, and we aren’t always sure who is on the other end of that connection. It is a full-time job just to get a handle on our own risk. How much harder, and how much larger should our teams and budgets be, to truly know and trust that our vendors can secure those devices and external connections? 

For every device and application we have internally, it is very difficult to even keep an accurate inventory. Do all of our vendors have some special sauce that allows them to overcome the traditional challenges of securing internal and vendor-connected networks? They are doing the same thing we are – doing our best with the limited human and financial resources allocated by our organisation.

Risk stratification and control objectives 

The benefits of outsourcing operations or using a vendor web application are clear. So how can we properly vet those vendors from an IT risk perspective? 

The very first thing we need to put in place is Risk Stratification. Risk Stratification presents a few targeted questions in the purchasing process. These questions include – what type of data will be shared? How much of this data? Will the data be hosted by a vendor? Will this hosting be in the US or offshored? Has the vendor ever had a data breach? These questions allow you to quickly discern if a risk assessment is needed and if so, what depth and breadth.  Risk stratification allows you to make decisions that not only improve your team’s efficiency, but also ensure that you are not being a roadblock to the business

Risk stratification allows you to make decisions that not only improve your team’s efficiency, but also ensure that you are not being a roadblock to the business. With risk stratification, you can justify the extra time needed to properly assess a vendor’s security. 

And in the assessment of a vendor’s security, we have to consider what control objectives we will use. Control objectives are access controls, policies, encryption, etc. In healthcare, we often use the HITRUST set of control objectives. In assessing against those control objectives, we usually use a spreadsheet. 

Today, there are many vendors who will sell us more automated ways to get that risk assessment completed, without passing spreadsheets back and forth. These solutions are great if you can get the additional budget approved. 

Multi-factor authentication 

Even if we are using old-fashioned spreadsheets, we can ensure that the questions asked of the vendor include a data flow and network/security architecture document.  We want to see the SOC2 report if they are hosting their solution in Amazon, etc. If they are hosting it within their own datacentre, we absolutely want to see a SOC2 Type II report. If they haven’t done that due diligence, should that be a risk for you? 

Today, we really need to be requiring our vendors to have multi-factor authentication on both their Internet-facing access, as well as their privileged internal access to our sensitive data. I rate those vendors who do not have this control in place as a high risk. We’ve recently seen breaches that were able to happen because the company did not require administrators or DBAs to use a 2-factor authentication into sensitive customer data sources. 

data risk hospital security HITRUST
In the assessment of a vendor’s security, one has to consider what control objectives to use

This situation brings up the issue of risk acceptance. Who in your organisation can accept a high risk? Are you simply doing qualitative risk assessment – high, medium and low risks? Or are you doing true quantitative risk analysis? The latter involves actually quantifying those risks in terms of likelihood and impact of a risk manifesting, and the dollar amount that could impact your organisation.  

So is it a million dollars of risk? Who can accept that level of risk? Just the CEO? These are questions we need to entertain in our risk management programs, and socialised within your organisation. 

This issue is so important – once we institute risk acceptance, our organisation suddenly starts caring about the vendors and applications we’re looking to engage.  If they are asked to accept a risk without some sort of mitigation, they suddenly care and think about that when they are vetting future outsourced solutions. Quantitative risk analysis involves quantifying risks in terms of likelihood and impact of a risk manifesting

Risk management process 

In this discussion, it is important to understand how we think of, and present, the gaps we identify in our risk management processes. A gap is not a risk. If I leave my front door unlocked, is that a control gap or a risk? It is a gap – an unlocked door. What is the risk? 

The risk is the loss of property due to a burglary or the loss of life due to a violent criminal who got in because the door was unlocked. When we present risks, we can’t say the vendor doesn’t encrypt data. The risk of the lack of encryption is fines, loss of reputation, etc. due to the breach of data. A gap is not a risk. 

Once we’ve conducted our risk analysis, we must then ensure that our contracts protect our organisation? If we’re in healthcare, we must determine if the vendor is, in fact, a true HIPAA Business Associate, and if so we get a Business Associate Agreement (BAA) in place. I also require my organisation to attach an IT Security Amendment to these contracts. The IT Security Amendment spells out those control objectives, and requires each vendor to sign off on those critical controls. We are responsible for protecting our organisation’s IT and data infrastructure – today that often means assessing a 3rd-party’s security controls

One final note on risk assessments – we need to tier our vendors. We tier them in different ways – in healthcare a Tier 1 vendor is a vendor who will have our patient information on the Internet. Tiering allows us to subject our vendors to re-assessment. A tier 1 vendor should be re-assessed annually, and may require an actual onsite assessment vs. a desk audit. A tier 2 vendor is re-assessed every 2 years, etc.

We are responsible for protecting our organisation’s IT and data infrastructure – today that often means assessing a 3rd-party’s security controls. We must be able to fully assess our vendors while not getting in the way of the business, which needs to ensure proper operations, financial productivity and customer satisfaction. If we truly understand our challenge of vendor risk management, we can tailor our operations to assess at the level needed, identify and report on risks, and follow-up on any risks that needed mitigated.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Randall Frietzsche Distinguished Fellow, Information Systems Security Association (ISSA)

Randall Frietzsche is the Enterprise CISO for Denver Health.  Randall has been a leader in IT Security for ten years, with 15 years in IT Security and over 20 years in Information Technology.  He is a Distinguished Fellow with the Information Systems Security Association (ISSA.)  Randall holds a Master’s Degree in Information Security, the CISSP and 25 other Security, IT and other technical certifications.  He teaches cybersecurity both for Harvard University and Ivy Tech State College.  He is a former law enforcement officer, and a recent graduate of the FBI Citizen’s Academy.  Randall is a frequent speaker, writer, teacher and mentor.

In case you missed it

Hikvision provides their HikCentral video management software to enhance real-time monitoring at Care Protect’s office in Belfast
Hikvision provides their HikCentral video management software to enhance real-time monitoring at Care Protect’s office in Belfast

When Care Protect wanted to upscale its operations in healthcare safety and monitoring services to a large private provider, it turned to Hikvision’s HikCentral video management software, in combination with offsite cloud video storage from Manything Pro. Care Protect is an innovative organisation. It was created to promote excellent, sustainable and consistent care delivery in health and social care settings. That innovation is reflected in the way the company integrates technology into the very heart of its care provision services. It uses the latest camera and audio technology, alongside the latest secure cloud-based video storage services, with a team of health and social care professionals reviewing and assessing around the clock. Social care environments Because of this diligence in monitoring, high levels of independent scrutiny can be guaranteed. The result is that through this transparency, reassurance is available for residents and their families, knowing that vulnerable adults and children are better safeguarded and protected. In all cases, system use is with the prior consent of residents and relatives or next of kin only. Care Protect was established to help address public concerns over incidents of poor care or malpractice Care Protect’s independent monitors are very well qualified, with years of relevant health and social care experience, together with all necessary Disclosure and Barring Service (DBS) checks and Security Industry Authority (SIA) licencing. Collectively they offer a high level of sector knowledge and expertise essential to assist and advise those with responsibility for safeguarding and quality and clinical governance. One of the key reasons that Care Protect was established to help address public concerns over incidents of poor care or malpractice in health and social care environments, some of which have seen wide media coverage. Private healthcare provider As a result, sound and motion detection alarms and infrared filming is utilised so immediate alerts can be raised if an incident is seen or heard or there is a connectivity or maintenance issue. Video recordings also include the use of privacy settings to block any agreed zones or areas of view as required. With video footage playing such a crucial role in Care Protect’s service, it is of pivotal importance that the system in place to manage the viewing of that video is stable, reliable and effective. One of Care Protect’s clients is a large private healthcare provider, for which Care Protect monitors bedrooms and communal areas of child and adult wards in hospitals nationwide throughout England. Care Protect also monitors elderly care homes for several different providers. Offsite video storage Care Protect also monitors elderly care homes for several different providers Care Protect’s IT & Systems Director, Andy Johnson, said Care Protect Directors have a background in the care industry, which has informed the monitoring system the company utilises. “We’ve developed a system based on the reviewing of recorded footage by social workers and nurses to advise, initially, on the quality of practice,” Johnson explains. “The contract with the large private healthcare company saw our operation change to caring for patients who pose a high risk to themselves for self-harm. Because of the importance of this monitoring in ensuring the patients’ wellbeing, it was critical that we were able to efficiently manage that video, both in terms of live monitoring and offsite video storage.” Cloud video storage The new focus required an upscaling of Care Protect’s operational office in Belfast (the company’s head office is in Yarm, Cleveland). A key element of this upscaling was the use of Hikvision’s HikCentral video management software, which needed to be able to deliver high quality images to a Samsung multi-screen video wall for real-time monitoring. Resident and patient rights to privacy remain at the core of Care Protect’s operations Video management via HikCentral at Belfast is critical, as is the offsite cloud video storage provided by Manything Pro, as Care Protect is careful to ensure there is no local recording of video onsite at the customer’s facilities so that it cannot be tampered with. Resident and patient rights to privacy remain at the core of Care Protect’s operations, and they ensure they comply with and exceed all relevant legislation and guidelines, including the Data Privacy Act and Surveillance Camera Code of Practice. Intelligent surveillance platform HikCentral is a comprehensive, intelligent surveillance platform. The newly improved HikCentral delivers data and intelligence via a pre-installed VMS on standard, off-the-shelf servers, and contains advanced functions including advanced live view and playback, thermal imaging, queue detection, low bandwidth adaptability, video linkage with access control, enhanced alarm management and smart wall operation – as in use at Care Protect. HikCentral manages the cameras, the smart wall monitors, and the video decoders that drive the images to the multiple screens in the Belfast hub. These screens cover 21 separate hospital sites for Care Protect’s private health provider customer. “One of the key features of HikCentral for us was the new smart wall functionality,” Johnson says, “Allowing us to manage multiple screens from the one place, rather than having software to run an application to then put it on the screens.” Network mini domes We use Smart Maps within HikCentral for interactive floor plans for the hospitals we monitor" Care Protect also makes good use of HikCentral’s Smart Maps function. “We use Smart Maps within HikCentral for interactive floor plans for the hospitals we monitor,” Johnson explains. “We have a selection of the communal cameras live on the maps, and our reviewers can click into the relevant area and get an overview without having to further interrogate those floor plans.” The appeal of this VMS, he says, was down to both the newly mature and advanced functions of the latest version of HikCentral, as well as its very competitive pricing compared to its rivals. Care Protect uses 500 HikCentral licences and a variety of Hikvision cameras are deployed across the customer’s facilities, predominantly unobtrusive 4MP and 6MP high resolution network mini domes. Hikvision Smart functionality on those cameras also proves extremely useful, Johnson says. Smart camera functions “The use of Hikvision Smart events on the cameras helps our reviewers to know how many people are in a room or a designated zone at a particular time,” he says. “These sorts of Smart features can greatly assist our reviewers, allowing us to be more efficient and effective in responding to the needs of patients.” Those in-built Smart camera functions are complemented by the use of audio analytics Those in-built Smart camera functions are complemented by the use of audio analytics. In some cases this audio software is used to trigger cameras so that potential incidents can be automatically viewed and assessed by a Care Protect reviewer. The results of utilising this technology, according to Johnson, have been highly successful. “We have been able to upscale our operation to 27 screens, to accommodate 21 hospital sites for our biggest customer, to great satisfaction from their end as it is safeguarding the vulnerable patients that they care for,” he says. Poor network conditions In addition to monitoring the live streams for certain hospitals, Care Protect’s independent monitors are tasked with reviewing all recorded video to ensure that the quality of care provided meets the required standards. For this they utilise the services of Hikvision cloud video technology partner, Manything Pro. Care Protect have almost 3,000 cameras recording video to the Manything Pro platform. All video is stored offsite in the secure Manything Pro cloud and can be accessed via the Manything Pro app and website. Manything Pro software runs on Hikvision cameras and is constantly monitoring the bandwidth conditions on each site. If necessary, the software will dynamically adjust the video bit rate to ensure recorded events are sent to the cloud even in poor network conditions. “We use Manything Pro for our cloud storage, so any recorded footage goes up to them, and we review through their website,” he says. “Some providers that we work with aren’t part of the live streaming through HikCentral in our Belfast monitoring centre. For these sites we also use the Manything Pro app and website to view the camera live streams.”

How smart technology is simplifying safety and security in retirement villages
How smart technology is simplifying safety and security in retirement villages

James Twigg is the Managing Director of Total Integrated Solutions (TIS), an independent life safety, security and communication systems integrator, specialising in design & consultancy, technology and regulatory compliance. Total Integrated Solutions work primarily with retirement villages, helping to ensure the safety of residents in numerous retirement villages across the country. In this opinion piece, James shares how smart technology is helping security teams and care staff alike in ensuring the safety and security of their spaces, amid the COVID-19 pandemic and beyond. Impact of smart technology Smart technology is having an impact on pretty much every aspect of our lives Smart technology is having an impact on pretty much every aspect of our lives. From how we travel, to how we work, to how we run our homes. It’s not unusual to have Alexa waking us up and ordering our groceries or Nest to be regulating the temperature and energy in our homes. And while there’s a popular misconception that people in their later years are allergic to technology, retirement villages and care homes are experiencing significant innovation too. And the result is not only improved quality of life for residents, but also improved safety and security systems for management teams. Switching to converged IP systems I’ve been working in the life safety and security industry for over fifteen years. When I first joined TIS, much of the sector was still very analogue, in terms of the technology being installed and maintained. Slowly but surely, we’ve been consulting and advising customers on how to design, install and maintain converged IP systems that all talk to each other and work in tandem. I'm excited to say retirement villages are some of the top spaces leading the way, in terms of technological advancement. Improving the quality of life for residents A move into a retirement village can be daunting and one of the key concerns that we hear about is the loss of independence. No one wants to feel like they are being monitored or to have someone constantly hovering over them. One of the ways we’ve used smart technology to maintain residents' independence is through devices, such as health monitors and motion sensors. For example, instead of having a member of staff check-in on residents every morning, to ensure they are well, sensors and analytics can automatically detect changes in routine and alert staff to possible problems. Similarly, wearable tech, such as smart watches give residents a chance to let staff know they are okay, without having to tell them face-to-face. As our retirement village customers have told us, a simple ‘I’m okay’ command can be the difference between someone feeling independent versus someone feeling monitored. Simplifying and improving security systems Smart technology gives care staff and security oversight of the needs of residents For the teams responsible for the safety of the people, places and spaces within retirement villages, smart technology is helping to improve and simplify their jobs. Smart technology gives care staff and security oversight of the needs of residents, and ensures rapid response if notified by an emergency alert, ensuring they know the exact location of the resident in need. And without the need to go and physically check-in on every resident, staff and management can ensure staff time is being used effectively. Resources can be distributed where they are needed to ensure the safety and wellbeing of those residents who need extra consideration. 24/7 surveillance When planning the safety and security for retirement villages, and other residential spaces, it’s no use having traditional systems that only work effectively for 12 hours a day or need to update during the evening. Surveillance needs to be 24/7 and smart technology allows that without the physical intrusion into people’s spaces and daily lives. Smart technology ensures that systems speak to each other and are easily and effectively managed on one integrated system. This includes video surveillance, which has also become much more effective as a result of advanced video analytics, which automatically warn staff of suspicious behaviour. Securing spaces amid COVID-19 This year has, of course, brought new challenges for safety. COVID-19 hit the retirement and residential care sectors hard, first with the initial wave of infections in mid-2020 and then, with the subsequent loneliness caused by the necessary separation of families. As essential workers, we worked closely with our customers to make sure they had everything they needed As essential workers, we worked closely with our customers to make sure they had everything they needed during this time, equipping residents with tablet devices to ensure they could stay connected with their families and friends. It allowed residents to keep in touch without risking transferring the virus. Thermal cameras and mask detection And now that we’re emerging out of COVID-19 restrictions and most residents can see their families again, we’re installing systems like thermal cameras and mask detection, so as to ensure that security will be alerted to anyone in the space experiencing a high temperature or not wearing proper PPE. Such steps give staff and families alike, the peace-of-mind that operational teams will be alerted at the earliest possible moment, should a COVID-19 risk appear. Thinking ahead to the next fifteen years, I’m excited at the prospect of further technological advancements in this space. Because at the end of the day, it’s not about how complex your security system is or how you compete in the industry. It’s about helping teams to protect the people, spaces and places that matter. I see smart technology playing a huge role in that for years to come.

Climax releases the GX-Cubic2 Series Smart Care Medical Alarm for the healthcare industry
Climax releases the GX-Cubic2 Series Smart Care Medical Alarm for the healthcare industry

Rapid aging population, high healthcare costs, and physician shortages are creating an increasing demand for care at home, especially for seniors with long-term health conditions. The GX-Cubic2 Series Smart Care Medical Alarm from Climax Technology Co., Ltd. (Climax), features an LCD display that shows clock time, temperature, GSM signal strength and sensor faults, to keep users fully informed at all times. GX Smart Care Medical Alarm GX Smart Care Medical Alarm is an all-in-one wellness and personal safety medical alarm solution GX Smart Care Medical Alarm is an all-in-one wellness and personal safety medical alarm solution, bridging medical health monitoring and emergency alarm, to keep seniors safe in their own homes. GX is compatible with Bluetooth medical devices, like blood glucose/blood pressure monitors, pulse oximeters, etc., to track medical data and remote monitoring directly from caregivers/physicians, and also has telecare alarm features, including voice recognition, emergency monitoring, inactivity monitoring, voice control, and home automation capabilities, in order to assist seniors to have a more secure and healthy living. Some of the major features of the GX-Cubic2 Series include: Bluetooth Medical Device Pairing GX is compatible with Bluetooth Medical devices, like blood pressure/blood glucose monitors, pulse oximeters, thermometers, etc., to track health and medical data, and allow care-givers/physicians to remote monitor and provide treatment as needed. Smart Home Automation ZigBee, Z-Wave, and/or Bluetooth automation devices incorporated into GX creates a smarter and safer home, by auto-turning on hallway lights at night, to decrease the chance of a fall, or auto turn on the heater, if there is a sudden temperature drop. Voice Recognition GX has built-in voice recognition and can activate an emergency all to CMS by preset vocal commands or keywords. Allowing seniors to receive emergency attention even in situations where they are unable to seek help manually. Location Tracking GX can be paired with BRPD-1 Bluetooth pendant, a small wearable panic button that partners with a smartphone application for GPS location reporting and trigger help alarm with one button press, whether the user is at home or out for a walk. Voice Control GX is compatible with Google Home and Amazon Alexa voice control to control home electronic devices, allowing seniors to use their voice to make their environment more suitable without lifting a finger. Visual Monitoring and Verification GX can integrate Camera PIR Motion Sensors to deliver real-time visual monitoring and verification. When an emergency occurs, alerts are immediately sent to family members and Monitoring Centre to verify the event and sending immediate assistance as required. Pivotell Advance Automatic Pill Dispenser GX is compatible with Pivotell Advance Automatic Pill Dispenser, keeping secure of all pills, remind users to take their medication, keep track of their medicine intake, and allow caregiver/physician to monitor pill taking results/record and keep an eye on user’s needs. Safety & Inactivity Monitoring GX can support wireless sensor devices, allowing users to add in smoke detectors, water leakage sensors, and gas sensors to monitor emergencies, and motion sensors, door contacts, sensor pad transmitters for inactivity monitoring, to build a healthier, safer independent living. Voice over Internet Protocol (VoIP) & DECT GX’s built-in VOIP function allows users to initiate two-way voice calls to contact CMS and family members during alarms and emergency. With the optional add-on of DECT, GX can pair with voice extenders, talking pendants, call points, etc. placed around the home, to create a safety net and peace of mind. Colour Lighting Function GX also has an LED nightlight featuring both multi-colour adjustment and light level button control for a pleasant ambiance.