Recent research has shown that third party security is the number one risk to organisations' data and service delivery. Organisations now have a legal responsibility to ensure that they conduct due diligence on any supplier who will be processing, or will be providing software that processes, personal data. This due diligence has proven to be a difficult task for individual organisations to carry out, with suppliers reluctant to divulge sensitive security data, and in some cases not seeing the ROI of investing in security at all.
In the broad market, Governments hope that education and legislation will gently nudge suppliers towards adequately securing their services for fear of losing market share should a competitor offer a provably more secure product. Where there exist niche services, this nudging market force is effectively non-existent and other options to bring suppliers along on the security journey have to be investigated. One such niche market is telecare.
Digital Telecare for Scottish Local Government is supporting telecare service providers in Scotland with their transition to digital telecare. When implementing digital telecare, service providers are likely to use a range of suppliers to provide the equipment and services that form the overall solution. Given this, they need to evaluate the cyber security risk associated with each supplier before integrating their equipment/service into the solution.
To ensure a consistent and best practice approach is taken to cyber security, the Digital Telecare team has designed an assessment procedure that digital telecare suppliers can elect to undergo. Where a supplier meets the fair and common minimum-security standard, their name and the detail of the equipment/service assessed will be added to the list of Assessed Providers on the digital telecare website. Telecare service providers will be able to access details of the accredited equipment/services and use this as evidence that appropriate cyber security is in place, rather than having to complete the assessment themselves. Given this, this assessment approach should ensure a time and effort saving, both for telecare service providers and suppliers.
Suppliers included on the Assessed Supplier List will have provided sufficient evidence that they meet the minimum-security standard expected by partners. Where a supplier fails to meet the minimum standard, their name will not be included on the Assessed Supplier List, and advice will be provided to the supplier outlining how they might achieve the standard in a future evaluation. Suppliers who chose not to undergo the evaluation procedure will not be included on list. There is no penalty for failing the assessment. Telecare service providers will only have visibility of those suppliers that have passed, not those that have tried and failed. Suppliers can carry out remediation and re-submit evidence of compliance as many times as required to meet the standard.
If telecare service providers wish to select a supplier that has not been assessed by Digital Telecare, it will be necessary for them to evaluate the supplier themselves to ensure that it is providing an appropriate level of cybersecurity. As a minimum, this is likely to require the service provider to ask the supplier to provide information on its cyber security management processes, and for penetration testing to be completed. One of the objectives of this scheme is to reduce the burden on suppliers to provide this evidence to multiple customer organisations.
The Assessed Suppliers List is now live on the Digital Telecare Playbook with the first device and service having passed the assessment process. *Please note that you need to be logged in to the Digital Telecare Playbook to access the Assessed Suppliers List using the link below.
*Please note that you must be logged in to the Digital Telecare Playbook to access the Assessed Suppliers List.
If you would like to learn more about the scheme, please forward your questions to firstname.lastname@example.org.