Taking New Risks With Vendor Risk ManagementHow Moffitt Cancer Center's Dave Summitt Handles Reluctant Business Associates
Every new cybersecurity regulation puts at least some emphasis on the need to improve vendor risk management, says Dave Summitt of Florida's Moffitt Cancer Center. But what happens when vendors balk at the extra degree of scrutiny required?
See Also: A CISO's Guide to Communicating Risk
The answer, Summitt says, is for healthcare organizations to take a risk-based approach to working with business associates.
In a video interview at Information Security Media Group's Healthcare Security Summit in New York, Summitt discusses:
- How the regulatory enforcement environment has changed;
- Why some business associates now push back against cybersecurity agreements;
- His own risk-based approach to managing reluctant vendors.
Summitt is CISO of the H. Lee Moffitt Cancer Center and Research Institute, based in Tampa, Florida. He has more than 25 years of experience in IT across the federal and private sectors, with a focus on information systems, network and engineering operations and cybersecurity initiatives. Before entering the healthcare sector, Summitt had a 21-year federal career with the Department of Defense, where he held various roles including the Naval Sea Systems Command's technical representative for a major missile defense program, security data custodian, information systems security officer, data and configuration manager and change control chairman for several military programs.