Tips, Tools and Recommendations for Improving Healthcare Security

In this series, Shared Assessments Steering Committee member Ken Peterson talks about managing cyber risk in the healthcare space.

Q&A Series – Part 2

  1. For the healthcare industry, let’s talk about third party risk management, who are the third parties here and what types of risk are they inserting into the healthcare data security landscape?
  2. “Third parties are any organization that your company may bring in to deliver specific services for your company and your customer network. Third party firms come in all shapes and sizes, different levels of business maturity and varying levels of demonstrated risk management.  It is incumbent on your company to ensure your third party vendor network is pre-qualified and vetted to ensure you’re not exposing your business and your customers to the risk of outside attacks.  A risk management plan is critical.”


  1. What are the risks for healthcare organizations associated with not engaging in a risk management plan?
  2. “As we’ve seen in multiple cases in the last several years, a cyberattack can have a far reaching and highly damaging impact on an organization. A company’s brand, business equity and “earned public trust” are often in jeopardy with a breach.  In addition, customer and investor exposure are also in direct risk with a breach. And the time it takes to remediate a breach, earn back the trust and confidence of customers and shore-up the safety and security of a business operation can take months if not years if the proper risk management plans are not in place.”


  1. What are some of the initial steps that a company should take in protecting its intellectual assets?
  2. “There are a number of key steps that an organization should take toward safeguarding its assets: 1) Kick-off a formally empowered POC related to securing your third party network 2) Do an inventory of your vendor network to ensure what capacity a vendor is being utilized and what types of data do they have access to within your organization; 3) Define your vendors risk criteria to your business – vetting most critical to least critical and; 4) Define specific remediation efforts to help harden the security of your vendors.”


  1. What industry organizations and tools do you recommend for healthcare organizations that are trying to improve the security of their operations?
  2. “The healthcare industry is not an amorphous mass. As an example, clinical research organizations have concerns not always shared by medical device manufactures.  It is a diverse environment.  With that said there are organizations that provide to its member’s trusted intelligence and techniques that meet those broad areas of common interest that all healthcare organizations share when it comes to information security.  The most prominent right now is NH-ISAC as it is directly focused on healthcare information security and compliance needs. Most major industries have their own ISAC at this point.  The Shared Assessments Organization focuses on tools and techniques to assess vendor risk that are common across verticals.  The focus on tools should be those that enable organizations to conduct initial vendor due diligence, monitor in real time the vulnerabilities that can compromise their information, those that can provide continuous monitoring of critical networks and those that can assist the organization with making sense of large masses of data in time to be of value.”


Kenneth J. Peterson, CTPRP
Founder and CEO
Churchill & Harriman

Ken Peterson is a recognized leader in developing and implementing cybersecurity risk management strategies and solutions. Under Peterson’s stewardship, C&H has optimized enterprise risk governance programs, executing thousands of third-party risk assessments globally since 1997. C&H risk management work has been formally recognized by the U.S. Department of Homeland Security, the Federal Bureau of Investigation, the U.S. Department of Health and Human Services, the National Health ISAC, and the National Directorate of ISACs. In partnership with Prevalent, Inc., C&H has been formally selected by the NH-ISAC to perform certain third-party risk management services on behalf of their Members.

C&H is an Assessment Firm Member of the Shared Assessments (SA) Program, actively contributing to the Shared Assessments Agreed Upon Procedures (AUP), the Standardized Information Gathering (SIG) questionnaire, the Technical Development Committee and public outreach programs. Peterson is privileged to serve on the Shared Assessment Program’s Steering Committee and governing Advisory Board. Peterson additionally serves as the formal liaison between these two bodies.

To Learn more about C&H, please email