For years, I have been a vocal proponent of securing protected health information. It is no secret that The U.S. Department of Health and Human Services (HHS) swept security and authentication under the rug during the rollout of electronic health records (EHRs) as to not to impede adoption of electronic records by providers by making it difficult to use them. The current minimum requirements for identity assurance are set low, requiring only a strong password. The reality is HHS played Russian roulette, hoping that security breaches would not occur due to weak username and static password authentication. Putting convenience of security has led to breaches impacting millions of lives.
Source: GAO Report on Privacy and Security: A Wake-up Call for HHS?
Vendor Risk Assessment: Essential Components – InfoRiskToday
Vendor risk management is becoming far more critical as companies in all sectors rely more on partners
