Defensive is Expensive!
Vendor cybersecurity questionnaires have straightforward goals: Get on the same page regarding risk, work together to address concerns, and finish out the procurement process. Risk assessments, after all, are time-consuming and therefore costly...
Overcoming Anxiety for Fast and Fruitful Risk Assessments
Do your risk assessments often feel like an uphill battle?
Vendor cybersecurity questionnaires have straightforward goals: Get on the same page regarding risk, work together to address concerns, and finish out the procurement process. Risk assessments, after all, are time-consuming and therefore costly, so all parties should seek swiftness and success.
Vendors, so it seems, don’t always see things so rosily. Account managers often feel surprised and scrutinized by probes into their risk posture, creating a defensive dynamic that encumbers the process. Moreover, once this mindset takes hold, the invisible barrier you’re pushing starts to intensify, since dodging and delaying answers can appear suspicious and lead to more intense scrutiny. The resistance to transparency in your budding relationship feeds suspicion.
You can be a hero and bring your innovative technology to patients quickly if you work as a team. Through clear communication and by involving key players early on, healthcare organizations (HCOs) and vendors can keep the effort smooth and expedient.
We sat down to chew the fat with cybersecurity professionals at a leading U.S. healthcare system to discuss this type of anxiety. Their insight reveals how straightforward language, clear expectations, a collaborative attitude, and willingness to use tools can diffuse much of the stress of the old approach.
[INFORMATION SECURITY ANALYST (“INFOSEC”)] Most of the vendors who we contact through Censinet are running through this process for the very first time with us. Among many of them, a general observation is that they are often hesitant to answer the risk questionnaires, either because they feel that it’s a pass-or-fail thing, or that it would reflect badly on them. We try to reassure them that it’s not. It’s more like a diagnostic tool to get everyone on the same page and understand what their risk environment is actually like.
Obviously, not everyone takes it as we suggest. There’s still a few of them who are hesitant to answer when they come in. They feel that they don’t have to answer to us (the cybersecurity group), generally, and that there’s some other authority figure they have to respond to (like the clinician/buyer). Though we try to convince them it’s not the case, they think we’re judging them.
It makes the job tougher, because this defensiveness delays you a couple days at least. Those days could be used to read through the answers and proceed through the whole risk assessment.
[CENSINET] These vendors work with other providers as well, right? You’re not the only one.
[INFOSEC] Yes. And generally, the larger the vendor is, the tougher it is.
[CENSINET] Do some HCOs feed into the defensive mentality?
[INFOSEC] I can imagine providers feeding into the mentality, if you come in with an attitude. The defensiveness is naturally there, and you reinforce it with a tone of voice that says, “You’ve got to answer this, or we’re going to deny you.”
[CENSINET] What about confusing language in the risk assessments? Do providers intentionally try to trip the vendor up?
[INFOSEC] Not deliberately from our end, but I can see where that could come in – and that would definitely be a “test” type of thing. For us, it’s more of a scrutiny to check up on the vendor’s practices. There must be a way to confirm what the vendor says is true. If someone says, “Yes, we do have anti-malware protection,” you then have to ask, “Are you sure – what provider do you have?” Because they may answer “yes” but not understand who their provider is, in which case they may not actually know if they have adequate anti-malware protection.
So, it’s not meant to trip up. It’s meant to determine the exact level of preparedness, to document the evidence for declarations that they’ve made on the questionnaire.
[CENSINET] How does the defensive posture play out during the findings process?
[INFOSEC] When we do follow-up questions, that’s the back-and-forth. Some may say that encourages the defensive posture. But I think the posture begins even before the findings.
Some big providers come to mind, who often say from the get-go that they don’t want to answer a certain question. That’s from the perspective of a big corporation, which generally should know what it’s doing and wonders why it needs to be asked about security measures.
The posture ranges from that kind of attitude to vendors who, instead of being forceful, are hesitant to answer something. They know they are a small-scale operation, and they think that in answering a certain question, they might lose business. They have an imagined expectation of how they should answer something. So, for example, for the question around anti-malware, they might think: “Oh, we should have it, but we don’t. So, do we tell the truth that we don’t, or fudge the answer and say, ‘It’s in progress.’” That hesitancy is the defensive posture I was trying to describe.
That’s when it’s important for the provider to come in to reassure them and say, “This isn’t a deal-breaker – we’re just trying to understand what you have.” If in the end, the totality of circumstances shows a certain weakness in your risk posture that we can’t accept, then we’ll talk to you. But it’s not necessarily pass-or-fail. It’s more a question of, “What can we do to work this out so we can both have less risk than necessary?”
[SECURITY COMPLIANCE SPECIALIST (“COMPLIANCE”)] I think, if you take it from the vendor’s perspective, part of the difficulty is that providers all have varying degrees of what’s acceptable risk. This came up in back-and-forth discussions at a recent conference in San Diego between core providers and some medical device vendors. Everyone wants to help with security posture, but defining that is a challenge, since different providers have different requests on what they feel is appropriate. So that feeds into the “test” mentality and hesitancy: “Here we go again.” I know it’s the course of normal business, but I can only imagine the challenge in dealing with 7, 10, or 12 different providers where everyone’s asking for different standards, tests, or measurements for compliance.
[CENSINET] Do you think Censinet’s efforts towards standardizing the risk questionnaire could help alleviate that stress?
[COMPLIANCE] Definitely. A lot of the work that Censinet and others in the community have done to standardize questions is along the right path.
Nonetheless, while Censinet does ask questions to guide the conversation, a lot depends on interpretation. Take for example the question, “Do you have formal documented access control?” That question by itself is fine for us, but other providers may ask for more information for clarification. So, a standard questionnaire helps provide a starting point, but even among providers, what’s an acceptable answer varies based upon their experience and risk posture. And it’s why even many standard questions have a sub-question that asks for more detail.
[INFOSEC] I think, ultimately, there will always be some anxiety driven by this test attitude. So, the level of anxiety is what matters. The only thing we can control is whether we dissipate it from the provider’s own attitudes. We try to reassure and communicate as best we can.
In the end, this is too much work to just throw away. The whole exercise of trying to find a business partner and running them through a risk assessment is time consuming. If you end up having to reject them because they don’t respond well to you, that’s a waste of time.
[COMPLIANCE] It also plays to how well providers understand the review process. While we run the Information Security side of procurement, we’re not necessarily the folks who make the decision on who to approach. We’re still trying to change the business culture where you understand security is part of the purchasing and contracting process.
If the vendor isn’t aware of that requirement up-front, and it’s kept as more of a provider-internal issue, they can be caught off-guard: You’re a vendor thinking you have this tiny time frame from purchase all the way to go-live, and suddenly you have a monkey wrench thrown in. That lends to the defensiveness, since they ask, “Didn’t we agree we were going to do this, and now you’re asking us to jump through these hoops and putting our contract at risk?” All HCOs have process issues, so that’s a factor as well depending on the maturity of the organization.
[CENSINET] If Business Units, who make the decisions on who to approach, were more familiar with the risk and remediation process, would you have more leverage with them?
[INFOSEC] I think to some degree, yes. That might be a way to get them involved. We deal with a lot of Business Units repetitively, as opposed to the vendors – it’s the Business Units that we have more interaction with.
For instance, I’ve had three or four dealings with Oncology just this month. The more they’re familiar with my process, and the more they use Censinet themselves to see what’s happening with vendors, the more understanding they are overall. If I introduce them to the CAP (Corrective Action Plan), and they have a better understanding of what the vendors need to do, they then become part of that process too. Slowly, we get into their consciousness that the next time they try to bring someone in, they should check Censinet first to understand the risk posture of a vendor they want to approach.
[CENSINET] So, overall, do you feel you have to pull teeth less since starting to use Censinet’s platform across multiple departments?
[INFOSEC] I’d say yes, for me.
[COMPLIANCE] Yeah. It makes it very consistent as to what we’re looking for, and everyone has a common place of reference. We all use the same questions, so we’re able to point to a question and explain internally how we interpret each one.
The message here is clear: Cybersecurity departments want to work on the same side as vendors in facilitating next steps in the procurement process, but many vendors are inherently suspicious of those intentions. This leads to worse outcomes and more work for both sides.
HCOs can reduce this defensiveness through up-front communication and transparency about the process. By practicing empathy, asking candid questions, and presenting a unified message on security expectations across all procurement stakeholders, vendors stand to feel less on-trial and more at-ease.
Vendors can take a deep breath and start with trust that everyone wants innovation in healthcare to be easily adopted. Much like a new employer asking for references or a background check, providers scrutinize those they want to work with – not ones they intend to reject. No organization is 100% risk-free, and few things are deal-breakers. Demonstrating both an awareness that data risk is important to you as a vendor, and that you’re willing to collaborate to maintain the trust of your buyers, is the best path to a sale. Saving risk analysts’ time by thinking about data security in advance, and even having your questionnaires already completed, shows you’re the kind of vendor with whom HCOs want to do business.
With risk assessments, it pays to be a partner: Defensive is expensive.