This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong

UnHack (the Podcast): Bolstering Third-Party Risk Defences with Vish Gadgil

[00:00:00] Thanks as always to our partner Fortified Health Security. No matter where you're at in your cybersecurity journey, Fortified can help you improve your cybersecurity posture through their 24 7 threat defense services or advisory services delivered through Central Command, a first of its kind platform that simplifies cybersecurity management and provides the visibility you need to mature your program.

Learn more at fortifiedhealthsecurity. com

Introduction

Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.

And now [00:01:00] this episode of Unhack the Podcast.

Drex DeFord: Hey everyone. Welcome to Unhack the Podcast. I'm your host, Drex DeFord, and today we're going to dig into some of the free and incredibly useful stuff that's produced by the Health Sector Coordinating Council Cybersecurity Working Group, or as we affectionately call it, the CWG.

Thanks for tuning in. I'm your host, Drex. I'll see you next time. The CWGs composed of 450 industry and government organizations that work together to develop strategies to address cybersecurity challenges in the healthcare sector. And one of the many things that CWG does as part of that effort through the creation of task groups is that they develop these free resources that are focused on cybersecurity best practices.

And they do that across a whole range of disciplines. I've talked to several folks this month cybersecurity awareness month in many of the areas. Today, we're going to talk about supply chain challenges, essentially third party risk challenges, and the document that has been created for that by CWG is called the Health Industry [00:02:00] Cybersecurity Supply Chain Risk Management Guide.

And joining me for the discussion today is Vish. Hey Vish, I'm really glad you're on the show.

Vish Gadgil: Hey Drex, thanks for inviting me helping us promote the excellent publications that we have from HSCC that are free for everybody.

Drex DeFord: Yeah, they're free for everyone, which is amazing. So let me start, introduce yourself, tell me a little bit about your background.

I know you have a disclaimer that you have to punch in there too,

Vish Gadgil: yes,

Drex DeFord: so

Vish Gadgil: my name is Vish Gadgil. I work for Merck Company. However, I am not, and I have to repeat this, I am not representing my employer today. So I'm only representing HSCC's Supply Chain Risk Management subgroup because I'm a co chair on that.

And I have a cybersecurity background for almost 30 years. started back in 1998 and never looked back. One more quick plug in. This is an area that I'm very passionate about. Supply chain risk management often is an overlooked area of cybersecurity. And although [00:03:00] awareness for this particular risk is increasing in the past few years, thanks to efforts from HISAC or HSCC.

And frankly, also due to some high profile supply chain security incidents like SolarWinds and Okta, etc. But it still represents a major risk to our sector. When this subgroup was formed, happily volunteered and eventually co chaired the group for a few years. 2024

Drex DeFord: has it's been the perfect storm to show why we should be paying attention to this, right?

Vish Gadgil: Yes, absolutely. And it's not just this year. Every year it has been, an increase in third party cyber security incidents.

Drex DeFord: So how did you get involved with Health Sector Coordinating Council at CWG? How'd that come about? So

Vish Gadgil: My mentor and my boss, Terry Rice, used to be the, they call it co chair, I believe, of the CWG from the private sector perspective.

So HSCC is a collaboration between the government sector and in the private sector, right? So Terry used to represent the private sector [00:04:00] and then to help him out on some of the activities, he included me, and then since then I've been working with HSCC.

Drex DeFord: Once

Vish Gadgil: you got in, they

Drex DeFord: couldn't,

Vish Gadgil: you couldn't get out.

It's yeah, it's just amazing piece of work that we are doing. It's free for everybody. We are, the ultimate goal is patient safety, right? Cybersecurity, cyber safety is patient safety. And at the end of the day, we want to make sure we are all providing that safety to our patients.

Drex DeFord: Yeah, I'll tell you the other thing too is that I've read all of the documents before but in the preparation for the five shows that I'm doing this year, or this month in Unhack the Podcast, I've gone back through them again and I'm just like really blown away by how good the material is and how cool it is to be able to sit in the CWG with folks like you and hear experts talk about the challenges and the work that's going on to make this stuff better.

So talk about the document a little bit now. The Supply Chain Risk Management Guide is out there. [00:05:00] People can get it for free. There's so much great material in there that even if you think you have a good third party risk management program, even if you think you're good at supply chain risk, go out and get this document and dig through it.

But tell us more about what's in there. Sure. So

Vish Gadgil: HICSCREAM, that's the short form of that publication. It's funny that, when we started with that naming, it is basically a full form of that document is Health Industry, Cyber Security, Supply Chain Risk Management, and the short form became HICSCREAM, and it Feels like, oh, we are all screaming about it, right?

But it was funny. But it also is a reflection of a loud cry for help from our small and medium sized organizations in the health sector, it's basically a part of the broader effort by HSEC. But at the end of the day, we wanted to make sure that we have provided not just theoretical or academic guidance, but we are providing a clear Toolkit that the small and medium sized organizations can use,

also want to clarify here one thing that this [00:06:00] publication is not about software supply chain attacks. There's a confusion I want to clarify. This is about actual third parties. The third parties that we deal with day to day, right? So things like your raw material suppliers or medical device companies or doctor's offices, payers, all of that.

So this is about doing. Third party risk management, not software supply chain management.

Drex DeFord: I love that it's small and mid sized healthcare organizations too, that focus and that energy that clearly comes through in the document.

Vish Gadgil: Yeah, there was a reason for that. So when we started thinking about how we can elevate the supply chain risk management practices across the entire health sector we always take this entire health sector approach.

So we realized that it's quite likely that the large organizations in our sector probably have a good Third party risk management program, but we are all part of a bigger ecosystem, right? And no one organization is immune to attacks on the overall ecosystem. A recent example being Change Healthcare, right?

That [00:07:00] unfortunately fell victim to cyber attack and it impacted the entire sector. Nobody ever thought how it can impact us, right? So the realization was that These small and medium sized organizations that don't necessarily have budgets or resources to have a good, solid, dedicated, third party risk management function, they're probably more vulnerable, and therefore they can become a risk to the overall health sector, right?

So that's why the focus, and with that background, we designed this HickScreen document for that purpose. Kind of audience. But again the guide can also be useful as you mentioned for the larger organizations as well. It's really focused right now on small and medium, but large organization can probably learn a little bit out of it.

You

Drex DeFord: talk a lot about risk in the document and finding risk and understanding risk. You want to talk more about that? Sure.

Vish Gadgil: So as I mentioned, this document is really providing you practical tools, right? And it's not just a theoretical guidance. And we made sure that we wanted to see what framework we could use.

So we decided [00:08:00] to use the NIST Cybersecurity Framework, right? And NIST CSF has specific focus areas about supply chain risk management. So we aligned this document to the NIST CSF, so that provides some sort of compliance aspect as well. And then what we did is, back in 2019, the first iteration was about how you build the Supply Chain Risk Management Program.

So that version focused more on the build part of it. Version 2, that was released in 2023, which is also the current version, it builds upon the original version, and then now it talks about How do we manage that program operationally, right? So now this current version essentially is a complete guide and a complete toolkit for standing up the program and running the program for third party risk management.

Okay. And in terms of what the document itself includes we as I said, now we are aligned to the NIST cybersecurity framework. So there are multiple sections in the document. Obviously, it provides the introduction and background, why third party risk management is [00:09:00] important, why it is important to do a proactive risk management, right?

Not just, responding to something that you hear on a day to day basis. We wanted to make sure it is aligned to the CSF and CSF has really good five principles for those who are. I'm assuming our audience really knows what CSF is. So there are sections for in the identity area called id.

sc125, So SC1 is about establishing the risk management function. SC2 is about doing the risk assessment. SC3 is about how do you manage contracts. SC4 is about ensuring compliance on an ongoing basis. And SC5 is about response and recovery activities, right? The document essentially has those sections.

If you don't mind, I can, let me just walk you through a couple of those. Yeah. Cool. The risk management function it talks about What is the importance? How it is important to have a internal sponsor for the function that needs to be really a senior management person. How it is important to [00:10:00] have a really good supplier inventory how to categorize suppliers by risk level.

And it also provides toolkit. Now, granted, we don't have anything fancy. It's really an Excel spreadsheet, but it provides specific guidance. And again The audience is small and medium organizations, right? So it provides you guidance on how to do that inventory or categorizing suppliers, So it's very important that, if your company deals with hundreds of suppliers, you cannot do the risk management for each one of them. So you have to do the tiering of suppliers. Who are the top suppliers that we need to manage risk? So that's the risk tiering. So we talk about that part.

Then it talks about risk treatment and mitigation activities, right? So it talks about. Aspects such as, hey what kind of risk acceptance processes you have, or how you deal with insurance should you have insurance, in terms of how do you expect the suppliers to ensure that they are patching the stuff?

Can you do your audits with the suppliers? Stuff like that, right?

Drex DeFord: Yeah. Yeah.

Vish Gadgil: Then it talks specifically about contractual obligations. We actually have [00:11:00] a really solid contract template that's provided as part of this document, and the template is really, ensuring that the basic cyber hygiene of third parties is really good.

And again, the idea was the overall health sector needs to up their game, so there's nothing fancy or very crazy in terms of security requirements in the contracts. It's really about. Looking at the overall ecosystem approach and, upping the game. Then it talks about overall due diligence and monitoring.

How do you do as the cybersecurity risks evolve, as Drex, like we have to evolve as well, right? So how do you do continuous monitoring if possible for you? Making sure how are how your suppliers are patching the vulnerabilities, especially if you have direct connectivity with them.

How do you maintain, communications with them, making sure you are hooked into the incident response of your company, right? So typically our incident response functions don't necessarily look into third party incidents. So making sure that it's connected to your own incident [00:12:00] response, and you're also working with your third parties in terms of knowing what they do and potentially linking each other, right?

So all of that is explained along with a bunch of templates. Like, how do you do risk assessments? What kind of contract language you have? Stuff like that. So the

Drex DeFord: template stuff is amazing in here. For the small places love the way that you've structured this because for the small places, for many of the medium sized places, those CISOs.

Sometimes they don't even have a CISO. They have somebody who's in been designated as the security person. They're probably doing four other things too. So to have something like this where they can actually just get the document. It's 40. Six pages or it's, 60 pages worth of stuff.

Go through and look at it and really just have like here, it's almost like you spoon feed it in a lot of ways. And like you said, these aren't really complicated templates. They're really easy to understand. The way the document's written is really easy to understand. And it's really incredibly useful.

[00:13:00] The templates are

Vish Gadgil: amazing in here. No, thank you. Thank you for that. And that was our intent, right? We wanted to make sure that a small organization, just like you described, right? A CISO, who is also probably, their firewall administrator is also their IT guy, who knows, right? That person shouldn't have to think too much.

They can take that template. And maybe tweak it a little bit here and there, but in general, there should not be a problem. For example, the contract template that we produced we intentionally left it at a fairly basic level so that This CISO, who's also doing three different things, doesn't have to sit there and go through a whole bunch of redlining and negotiations with the third parties, right?

Any third party, when they look at those contractual clauses, they will say, yep, this makes sense. This is a good thing to do. Cybersecurity is becoming a differentiator in terms of third party offerings. So if I have a supplier, quite frankly, that comes to me And just as an example and says, Hey, we are providing [00:14:00] you a software as a service solution, but you have to create local identities.

And then the second one comes and says, I have the same function, but I provide you identity federation. I'm going with the second guy because they know security. That's what they're indicating, right? So cyber security is becoming a differentiator in terms of the service offering and the product offering.

So that's what we are trying to highlight that, upping the game in terms of cybersecurity is a good thing to do.

Drex DeFord: And ultimately this is a team sport between third parties, between, the end users, the IT team of this sort of happens in isolation. Exactly. I really appreciate you being on the show today.

Thanks for telling us all about this and all the stuff is available for free. One of the things we'll do is when the show is published, we'll make sure we put a link to Health Sector Coordinating Council, CWG, and this document in particular in the comments, thanks for being on the show today, Vish.

Anytime, Rex. Thank you so much for inviting me. [00:15:00] That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus.