Buckling Down on Vendor Security Risk in HealthcareRenee Broadbent, CIO of SoNE Health, on Putting Demands on Third-Party Suppliers
With the surge in major cyber incidents involving third-party suppliers, it's absolutely critical for healthcare sector entities to raise their security expectations and tighten their requirements for vendors handling sensitive data, said Renee Broadbent, CIO of Southern New England Healthcare, more commonly known as SoNE Health.
"You have to be super selective about the vendors you do business with - and exact high-level security standards out of them," she said in an interview with Information Security Media Group conducted at the recent HIMSS cyber forum in Boston.
"If we're going to engage with a vendor that is going to provide any services that touch our organization, particularly protected health information, we have a whole litany of things they have to do," she said.
That includes being HITRUST-certified, signing nondisclosure agreements and business associate agreements, and being subject to random audits, she said.
"They actually have to supply and do all of those things before we sign on the dotted line. If they're not willing to do that, then I'm not willing to do business with them."
In the interview (see audio link below photo), Broadbent also discusses:
- Other tips for getting a better handle on third-party vendor security risks;
- Challenges involving secure health information exchange;
- Emerging opportunities and critical considerations for the use of generative AI in healthcare.
Broadbent is president of the New England chapter of HIMSS. She has an extensive background in IT strategic planning, team development, management and budget and financial planning. She was previously associate vice president of population health IT and strategy at UMass Memorial Medical Center.