Data breaches against healthcare organizations affected over 1 million people in almost every month of 2020. In the same year, the average total cost of a data breach was the highest in the healthcare industry at $7.13 million. In 2021, this has now gone up to $9.41 million.
The healthcare industry is one of the most attractive targets for cyber attackers and data thieves because it possesses the “crown jewels” that these adversaries are after: information. Healthcare data is rich with information, including patients’ personally identifiable information (PII), protected health information (PHI), and financial information.
Cybercriminals steal healthcare data to perpetrate fraud, steal identities, or launch ransomware attacks. A single healthcare record can be sold for $250 on the black market, while the next most valuable record is a payment card, which goes for only $5.40.
Such valuable data creates immense cybersecurity risks in healthcare. A lot of this data is generated, managed, or held by third parties, resulting in even more severe threats to healthcare organizations and their information security. This is why third-party risk management and healthcare data security is critical.
The Need for Third-party Risk Management in Healthcare
In the healthcare industry, attackers often leverage third-party vulnerabilities to gain access to sensitive information, while defenders try to keep these bad actors out. One such attempt by defenders is the Health Insurance Portability and Accountability Act (HIPAA), a law formulated to help protect patient data and secure healthcare organizations.
Despite HIPAA regulations, cybersecurity attacks and data breaches targeting healthcare remain a serious and increasing threat. The presence of third parties, who play a vital role in healthcare supply chains, further exacerbates this threat.
HIPAA calls these third parties “business associates,” and the healthcare organizations are referred to as “covered entities.” Depending on the nature of their business, third parties may have access to PII, PHI, and other valuable data.
Unfortunately, they often fail to implement strong security controls to protect this data, making them, and by extension healthcare organizations and patients, vulnerable to compromise.
To make matters worse, a 2020 survey found that 54% of healthcare vendors experienced a data breach of PHI, but only 36% of them notified providers because they were afraid to lose their business. This lack of accountability and transparency should worry healthcare providers and those whose PHI they collect or manage.
With a robust third-party risk management system, healthcare organizations can detect, identify, and remediate cybersecurity threats within their vendor ecosystem, protect valuable patient information, and even optimize their vendor relationships.
Notes on Vendor Access et. al
There are several areas that healthcare organizations should prioritize and address as part of their third-party risk management program:
- Vendor access to medical devices
- Medical devices running legacy operating systems and code versions
- Third-party scripts and plugins on websites
- Access to PII
Vendor Access to Medical Devices
Healthcare organizations spend a great deal of money on medical devices, and most of them carry hefty support contracts. However, such agreements say little (or nothing) about what kind of access the third-party vendors will have or how the device will be supported or protected.
Several device manufacturers provide remote support but don’t always follow good cybersecurity hygiene. The healthcare organization must enforce strong security policies and ensure that the vendor only has the access required to service the device and nothing more. In other words, the organization is responsible for protecting its data, not the vendor.
But not all healthcare providers take this responsibility seriously. A common mistake is granting VPN access with open elevated privileges to device manufacturers. This, in addition to weak control policies, increases the risk of cyberattacks. Adopting a zero-trust approach to network and data access by third parties is the best way to mitigate such risks.
Medical Devices Running Legacy Operating Systems and Outdated Code
Many data breaches occur because of unpatched operating systems, applications, and software code. A June 2020 survey discovered that 65% of companies that were running old software had suffered data breaches.
In healthcare, outdated software is an especially serious problem. Since medical devices usually have long lifecycles, they are in service for years with outdated software or operating systems. As a result, security vulnerabilities remain in old, unpatched software, which increases the risk of cyber threats.
That’s why it’s critical to regularly update and patch software in medical devices. Wherever software vendors no longer support a particular application, healthcare organizations must transition to a different, more secure, and up-to-date software.
Third-Party Scripts and Plugins on Websites
Third-party scripts and website plugins are outside the control of a healthcare provider’s IT ecosystem. In 2019, over 93% of web pages included at least one such third-party resource, so it’s virtually impossible to avoid them. However, such resources also pose a significant cyber risk, leaving the organization open to attack.
It’s essential to conduct regular vulnerability scans to identify exploitable vulnerabilities or malicious code in scripts and websites. Monitor the HTTP requests made by the company website to ensure that it doesn’t connect with malicious domains. Site content audits and script monitoring also help manage and minimize the risks of third-party scripts and plugins.
Access to Personally Identifiable Information
Healthcare organizations can better control access to PII through access assessment, sensitive data discovery, and data classification. Access assessment is the process of evaluating who has access to which data, how they got access, what they’re doing with it, and if they should still have access.
Sensitive data discovery is also essential to determine what information needs protecting and to what extent. Data classification involves tagging data to identify sensitive data and determine what protective controls should be implemented.
Key Elements of Third-party Risk Management in Healthcare
The overarching goal of third-party risk management in healthcare is to empower healthcare providers to minimize the risk from third parties and thus better protect their data. The program includes numerous activities that work together to strengthen their security posture.
Vendor Due Diligence
Healthcare organizations must perform due diligence on all vendors. It allows them to gauge the security risk posed by each vendor to the organization’s cybersecurity and data security. Due diligence is usually done through vendor questionnaires that assess and compare a vendor’s security setup to industry standards.
The questionnaire should include questions about the vendor’s data security practices, business recovery plans, and disaster recovery plans. Their regulatory compliance with laws and industry standards like HIPAA, HITECH, and PCI DSS should also be assessed and verified.
Third-party Risk Assessment
In addition to due diligence, healthcare organizations must perform a third-party risk assessment. Vendor risk assessments evaluate the relationship and risks based on the services they provide and devise plans to address those risks. Both short-term and long-term measures must be implemented to eliminate immediate threats.
Assess Vendor Cyberdefense and Governance
During the assessment process, it’s vital to understand every vendor’s cyberdefense and governance ecosystem by asking questions like:
- What network or perimeter security measures are in place?
- Is firewall protection used?
- Is access controlled via password-based systems or multi-factor authentication?
- Does the vendor perform penetration testing and vulnerability scans?
- Are vendor employees trained on cyber defense?
- Who is primarily responsible for IT decision-making in the vendor’s organization?
- Does the vendor outsource any IT services to fourth parties that can increase risk exposure?
Based on the information gathered from the above activities, the healthcare provider or third party must be prepared to take the required actions to eliminate any risks identified. It’s also essential to ensure that security measures required by HIPAA, HITECH, or other laws and industry standards are implemented by both the vendor and the healthcare organization.
ZenGRC is Your Third-Party Risk Expert
In the ever-growing cyber threat landscape, the healthcare industry is particularly vulnerable to bad actors looking to access healthcare systems and steal healthcare data. As third parties play an increasingly important role in the healthcare value chain, the risk to healthcare organizations is exponential.
Healthcare organizations cannot afford to have a laidback attitude to cybersecurity and data protection. They must adopt a robust third-party risk management program with the help of a comprehensive platform like ZenGRC.
ZenGRC is an integrated risk management platform that reveals third-party risk across the entire organization. It shows where third parties are creating risk, how this risk is changing, and how providers can manage it to mitigate business exposure.
ZenGRC helps operationalize risk management. It simplifies compliance and regulatory efforts with automation and workflows.