Recent research has shown that third-party security is the number one risk to an organisation’s data and service delivery.
Organisations now have a legal responsibility to ensure that they conduct due diligence on any supplier who will be processing, or will be providing software that processes, personal data.
This due diligence has proven to be a difficult task for individual organisations to carry out, with suppliers reluctant to divulge sensitive security data, and in some cases not seeing the ROI of investing in security at all.
In the broad market, governments hope that education and legislation will gently nudge suppliers towards adequately securing their services for fear of losing market share should a competitor offer a provably more secure product.
Where there exist niche services, this nudging market force is effectively non-existent and other options to bring suppliers along with on the security journey have to be investigated. One such niche market is telecare.
Digital Telecare for Scottish Local Government is supporting telecare service providers in Scotland with their transition to digital telecare. When implementing digital telecare, service providers are likely to use a range of suppliers to provide the equipment and services that form the overall solution. Given this, they need to evaluate the cybersecurity risk associated with each supplier before integrating their equipment/service into the solution.
To ensure a consistent and best practice approach is taken to cybersecurity, the Digital Telecare team has designed an assessment procedure that digital telecare suppliers can elect to undergo.
Where a supplier meets the fair and common minimum-security standard, their name and the detail of the equipment/service assessed will be added to the list of Assessed Providers on the digital telecare website.
Telecare service providers will be able to access details of the accredited equipment/services and use this as evidence that appropriate cybersecurity is in place, rather than having to complete the assessment themselves.
Given this, this assessment approach should ensure time and effort saving, both for telecare service providers and suppliers. Suppliers included on the Assessed Supplier List will have provided sufficient evidence that they meet the minimum-security standard expected by partners.
Where a supplier fails to meet the minimum standard, their name will not be included on the Assessed Supplier List, and advice will be provided to the supplier outlining how they might achieve the standard in a future evaluation. Suppliers who chose not to undergo the evaluation procedure will not be included on the list. There is no penalty for failing the assessment.
- We must make the Digital Telecare switch or risk losing lives
- Misconceptions vs reality on the vital move to Digital Telecare
- The benefits and opportunities of Digital Telecare in Scotland
Telecare service providers will only have visibility of those suppliers that have passed, not those that have tried and failed. Suppliers can carry out remediation and re-submit evidence of compliance as many times as required to meet the standard.
If public telecare service providers wish to select a supplier that has not been assessed by Digital Telecare, it will be necessary for them to evaluate the supplier themselves to ensure that it is providing an appropriate level of cybersecurity.
As a minimum, this is likely to require the service provider to ask the supplier to provide information on its cybersecurity management processes, and for penetration testing to be completed.
One of the objectives of this scheme is to reduce the burden on suppliers to provide this evidence to multiple customer organisations. The first device and service went live on the assessed suppliers’ list at the end of January 2021, with many more under review. To keep up to date with the assessed suppliers, visit the Digital Telecare Playbook.
If you are a supplier who has not yet entered the scheme, you can contact Digital Telecare for Scottish Local Government at firstname.lastname@example.org to find out more information.