The early internet had a spirit of community, sharing, and freedom. This spirit invested itself in the very protocols powering the internet, and security was NOT considered. Encryption? Maybe for military systems. Not in general. The problem, of course, was one of naiveté. With the rise of malicious activity, security had to be addressed.

Today’s environment isn’t so friendly. Ransomware, social engineering, and cyber-theft are pervasive. Our websites aren’t just stand-alone proprieties, they are portals to our larger organizations, platforms that can be exploited to great harm unless we take due care to protect them.

Consider a hypothetical example…a normal form on your website is replaced by a phony donation form. Will your users think they are donating to your healthcare system? How will you notify victims once the problem is found? Will you provide credit insurance for them? These choices come up in large compromises, but the more quickly a situation is found, the less the damage.

You need to ensure that your provider has the tools to prevent, detect, and fix malicious events. That brings me to the first question you should ask your provider.

Question 1: What security framework do you follow?

Security isn’t just about technical controls that create firewalls or block ports – it’s also about process. After all, it’s well known that people are the riskiest part of the security equation. To deal with people and process, it’s best to use a security framework. Amongst the most popular are the NIST 800 Series of guidelines, ISO 27000, and Cobit. NIST publishes an outstanding index to these called the NIST Cybersecurity Framework.

The Cybersecurity Framework defines five high level functions: Identify, Protect, Detect, Respond, and Recover. These categories contain 98 distinct activities that would result in a comprehensive risk management program. Adequate security risk management is no small endeavor. It takes real investment. Organizations need not implement all activities, since the framework is meant to be customized. The important thing to remember is that the organization should follow one of the major defined methodologies so major areas aren’t accidentally missed.

I have to admit a bias here. I’m partial to the NIST frameworks. They are freely available, create a common language for security issues, and are heavily used in the Healthcare industry because of HIPAA. Most importantly, the NIST 800-53 specification contains a comprehensive set of controls that can be adapted to secure just about any information processing asset.

The ultimate goal of the question is to determine if your partner uses an established framework, whatever that framework that may be.

Question 2: What is your secure application development process

Security frameworks define standards for secure application development. Any software vendor should actively teach these methods to their software developers and testers. The Open Web Application Security Project (OWASP) publishes a top 10 list of vulnerabilities and how to prevent them. The development team needs to understand and habitually practice the preventative measures specified by OWASP. Security problems are better addressed early and often.

Almost any software developer should have some answer for this or know the OWASP acronym. You are looking for an indication of an organized process in the answer.

Question 3: Can you describe your incident response process?

Like software development, incident response is a sub-component of a larger risk management framework. Security related incident response generally follows a well-known pattern. Security teams must be able to perform the following steps:

  1. Preparation
  2. Detection
  3. Containment
  4. Eradication
  5. Recovery
  6. Post-Incident Activity

I won’t go into full detail, but preparation is of key importance. Is there an on-call team? Are phone numbers and contact information known ahead of time? Are there defined procedures for different types of incidents?

Most IT people have dealt with a moment of panic at the detection of malicious activity. Ideally, there will be no panic in an incident, just a well-practiced team following its training and expertise. If you’ve ever experienced an incident without proper training or experience, you’ll never want to do that that again.

All three of my questions attempt to discover the overall commitment to proactive security and risk management. No vendor will be perfect on all of the details, but I try to see if our vendors are up to current guidelines and knowledge in the field. Proceeding with that knowledge makes me sleep better at night.

Want more help understanding how to tackle security challenges how find solutions architected with security in mind? Read our white paper, Choosing the Best CMS for Healthcare.