A handy list of risk questions every healthcare CISO should ask potential suppliers   – Go Health Pro

A handy list of risk questions every healthcare CISO should ask potential suppliers   – Go Health Pro

by
COMMENTARY: Every healthcare company relies on external suppliers to activate services and process, transmit, or store their data — and every one of those relationships creates risk.When any supplier suffers a ransomware or security incident, all the healthcare organization’s constituents, including patients, customers and affiliated organizations bear the consequences: financial exposure, downtime, embarrassment, and even regulatory action.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]For example, Ascension Health in May 2025 had to inform its patients that a breach of one of its suppliers compromised their medical data. The breached data included names, addresses, Social Security numbers, admission and discharge dates, diagnosis and billing codes and medical record numbers. No organization wants to send that kind of letter.CISOs and business leaders who manage supplier risk should ask three hard questions of every supplier before entrusting them with sensitive data:

  • How long will the provider keep our data?

    • Attackers can’t breach data that doesn’t exist. If a supplier keeps data any longer than necessary to complete their contracted work, that data represents a 100% pure risk. Some suppliers retain data for their own purposes, like analytics, or even resale.For example, in January 2025, Change Healthcare disclosed that billing, claims, and payment information, such as claim numbers, account numbers, billing codes, and in some cases, payment cards, had been breached earlier in the year, potentially affecting up to 190 million individuals across the U.S. Why should a supplier need to store such purely transactional data after a transaction finishes?Healthcare companies need to ask the following questions:

    1. How long does the provider need to keep my data to perform its services?
    2. How will the provider destroy my data as soon as it’s no longer needed?
    3. How will the provider let me audit and verify that it destroyed my data on time?
  • How fast can the provider recover from an incident?

    • Cyber breaches are expensive, and downtime represents even more costs. A supplier that can’t resume operations quickly after a ransomware or security incident can cause cascading delays and disruptions for the healthcare organization’s constituents.For example, a 2024 survey of healthcare organizations found that only 22% were able to recover operations in less than a week after a ransomware attack, and 37% said it took more than a month. Could any company last a month without one of its critical suppliers? And just as important, how can the healthcare organization make sure that all its data will be there after the recovery?Ask suppliers these questions:

    1. How long will it take them to recover data and operations (recovery time objective, or RTO) from scratch after a compromise?
    2. When the supplier recovers, how much data from before the disaster event (recovery point objective, or RPO) will be missing?
    3. Has the provider tested all the people, processes, and technology in its recovery plan and proven that they can hit RTO and RPO goals? How often will the provider repeat these tests and show us the results? What about the provider’s external dependencies in this cloud-enabled ecosystem?
  • Is the provider fully audited and certified?

    • Many healthcare data companies carry a third-party certification such as HITRUST or SOC 2 Type 2. Constituents must rely on these reports with care. Some suppliers try to pass off audits that cover only parts of their services. Others may withhold detailed audit results from customers.I’ve had suppliers send me audit reports that cover their infrastructure and shared services, but say nothing about the actual applications we use. Others have sent me one-page certification letters with no details about their controls or any audit findings. Needless to say, neither of those meets our supplier risk management standards.Insist on the full audit report, and then ask:

    1. Does the scope of this report include the entire application stack that we use, not just infrastructure or underlying platforms?
    2. What gaps or weaknesses did the audit find, and how did the provider fix them?
    3. How long has the provider held this certification—more than just one or two audit cycles?

    Companies that don’t have a formal supplier risk management policy and process, should make one right away. Show senior leadership these examples of how risky suppliers can damage the business and make the case that every new supplier must go through security review before signing a contract.Then, follow through. Use these questions for due diligence on every supplier that will receive the organization’s sensitive data. Any supplier worth its salt should be able to answer clearly and convincingly. Companies that ask these questions up front will weed out risky suppliers and greatly reduce their operational, reputational, and regulatory risks.Robert A. Eikel, privacy officer and CISO, P-n-T Data Corp.SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

    Leave a Comment