Critical Steps for Enhancing 3rd-Party Risk ManagementChris Frenz of Mount Sinai South Nassau on Scrutinizing Vendors, Components
Recent security incidents involving third-party software, including Okta and Log4j, underscore the importance of healthcare entities taking critical steps to enhance their vendor risk management programs, says Chris Frenz, assistant vice president of IT security at New York-based hospital Mount Sinai South Nassau.
"One of the things we're doing in our third-party risk management programs is that we're starting to incorporate more SBOM [software bill of materials]-type questions in our third-party risk assessment process," Frenz says in an interview with Information Security Media Group.
"That will allow us to know which vendors to reach out to … and to better gauge our risk if one of them might be compromised."
The willingness of vendors to provide a software bill of materials for their products, including medical devices, varies from company to company, Frenz says. "The recent Log4J instance really highlighted the utility of having SBOMs for various devices and components in your environment. A lot of organizations struggle with that," he says.
Because of the inconsistency among vendors offering SBOMs for their products, healthcare entities must be proactive in their own scrutiny of third-party software and medical devices, he says.
"Increasingly, we need to consider developing the equivalent of a software bill of materials - and ask vendors what kinds of products are commonly used in their environments, so that when the next Okta breach occurs, we can go through our listings and see [which] vendors to worry about because they use this product and might be impacted."
In the interview (see audio link below photo), Frenz also discusses:
- The importance of vendors being more transparent about software vulnerabilities;
- Patch management challenges;
- Preparing for possible cyber incidents related to the Russia-Ukraine war.
Before joining Mount Sinai South Nassau, a 455-bed acute care, teaching hospital in Oceanside, New York, Frenz was CISO at Interfaith Medical Center in Brooklyn. He has applied the zero trust model in healthcare and worked on medical device security. He is also co-author of the OWASP Secure Medical Device Deployment Standard and the OWASP Anti-Ransomware Guide.