Ten Security Control Objectives for Every Healthcare IT Contract, with Randall Frietzsche, CISO of Denver Health

Cybersecurity is only as strong as the security of an organization's vendors. Randall Frietzsche, chief information security officer (CISO) of Denver Health, a level one trauma center in Denver, has his organization's information security assessments down to a science. On today’s show, Randall joins Change Healthcare’s John Zuziak to share how Denver Health conducts security assessments, and how Randall's team assesses new vendors and monitors for vulnerabilities.

Today's panel: John Zuziak, Change Healthcare's Security and IT Risk Management Practice director; and Randall “Fritz” Frietzsche, MS, CISSP, CHPC, C|EH, C|HFI, ISSA distinguished fellow, and enterprise chief information security officer (CISO) at Denver Health, Denver, Colo.

Here’s what they talked about:

  • Frameworks for building security programs and assessments
  • Assessing security risk with third-party vendors
  • Creating a risk management policy
  • Conducting risk stratification analysis
  • Assigning risk tiers to third-party vendors
  • Keeping an eye on control gaps
  • Bucketing risks: financial, reputational, patient safety
  • Addressing vendors’ security gaps
  • Allowing for exceptions to the rules
  • The security check as part of the purchasing workflow
  • Top 10 security control objectives in every contract
  • The annual third-party review

Episode Resources

  1. Randall Frietzsche’s bio
  2. John Zuziak's bio
  3. Denver Health
  4. Change Healthcare Consulting Services
  5. Change Healthcare Consulting Services Resources
  6. COVID-19 Updates and Resources