Podcast
Ten Security Control Objectives for Every Healthcare IT Contract, with Randall Frietzsche, CISO of Denver Health
Summary
Cybersecurity is only as strong as the security of an organization's vendors. Randall Frietzsche, chief information security officer (CISO) of Denver Health, a level one trauma center in Denver, has his organization's information security assessments down to a science. On today’s show, Randall joins Change Healthcare’s John Zuziak to share how Denver Health conducts security assessments, and how Randall's team assesses new vendors and monitors for vulnerabilities.
Today's panel: John Zuziak, Change Healthcare's Security and IT Risk Management Practice director; and Randall “Fritz” Frietzsche, MS, CISSP, CHPC, C|EH, C|HFI, ISSA distinguished fellow, and enterprise chief information security officer (CISO) at Denver Health, Denver, Colo.
Here’s what they talked about:
- Frameworks for building security programs and assessments
- Assessing security risk with third-party vendors
- Creating a risk management policy
- Conducting risk stratification analysis
- Assigning risk tiers to third-party vendors
- Keeping an eye on control gaps
- Bucketing risks: financial, reputational, patient safety
- Addressing vendors’ security gaps
- Allowing for exceptions to the rules
- The security check as part of the purchasing workflow
- Top 10 security control objectives in every contract
- The annual third-party review
Episode Resources