Tips for Managing Third-Party Risk in Health Care

Data breaches against healthcare organizations affected more than 1 million people in 2020. The average total data breach cost in the same year was far higher in the healthcare industry ($7.13 million) than any other sector. In 2021 the average cost rose to $9.41 million.

As one can see, the healthcare industry is one of the most attractive targets for cyber attackers and data thieves. Why? Because this sector possesses the “crown jewels” of personal data that these adversaries want. Healthcare data is rich with information, including patients’ personally identifiable information (PII), protected health information (PHI), and financial information.

Cybercriminals obtain healthcare data to perpetrate fraud, steal identities, or launch ransomware attacks. A single healthcare record can be sold for $250 on the black market, while the next most valuable record is a payment card for only $5.40.

Such valuable data creates immense cybersecurity risks in healthcare. Third parties generate, manage, or hold this data, resulting in even more severe threats to healthcare organizations and their information security. This is why third-party risk management and healthcare data security are critical.

What is Healthcare Vendor Risk Management?

Third-party suppliers increasingly provide mission-critical operational and support services in the healthcare industry’s supply chain. That said, healthcare companies are finding it challenging to stay ahead of vendor breaches due to the volume of cyber attacks on supply chain suppliers. Current methods to manage vendor questionnaire assessments cannot scale to keep up with the growing vendor risk exposures.

As part of the digitization of healthcare, the most crucial IT vendors now host these systems in the cloud. The issue with this, though, is that we now rely on these outside suppliers to carry out essential operations and provide patient care.

The pain is felt by the healthcare organization when a vendor has an outage because of ransomware or another cybersecurity intrusion. And that suffering now extends far beyond the potential for Health Insurance Portability and Accountability Act (HIPAA) regulatory non-compliance brought on by lost or stolen data; instead, the breaches affect healthcare organizations’ capacity to function and pose a risk to patient safety.

The Need for Third-party Risk Management in Healthcare

In the healthcare industry, attackers often leverage third-party vulnerabilities to access sensitive information, while defenders try to keep these bad actors out. One such attempt by defenders is the Health Insurance Portability and Accountability Act (HIPAA), a law formulated to help protect patient data and secure healthcare organizations.

Despite HIPAA regulations, cybersecurity attacks and data breaches targeting healthcare remain a severe and increasing threat. In addition, third parties, who play a vital role in healthcare supply chains, further exacerbate this threat.

HIPAA calls these third parties “business associates,” and the healthcare organizations are referred to as “covered entities.” Depending on the nature of their business, third parties may have access to PII, PHI, and other valuable data.

Unfortunately, they often fail to implement strong security controls to protect this data, making them, and by extension, healthcare organizations and patients, vulnerable to compromise.

To make matters worse, a 2020 survey found that 54% of healthcare vendors experienced a data breach of PHI, but only 36% notified providers because they were afraid to lose their business. This lack of accountability and transparency should worry healthcare providers and those whose PHI they collect or manage.

With a robust third-party risk management system, healthcare organizations can detect, identify, and remediate cybersecurity threats within their vendor tiering ecosystem, protect valuable patient information, and optimize vendor relationships.

Notes on Vendor Access et. al

There are several areas that healthcare organizations should prioritize and address as part of their third-party risk management program:

• Vendor access to medical devices
• Medical devices running legacy operating systems and code versions
• Third-party scripts and plugins on websites
• Access to PII

Vendor Access to Medical Devices

Healthcare organizations spend a great deal of money on medical devices, and most carry hefty support contracts. However, such agreements say little (or nothing) about what kind of access the third-party vendors will have or how the device will be supported or protected.

Several device manufacturers provide remote support but don’t always follow good cybersecurity hygiene. Therefore, the healthcare organization must enforce strong security policies and ensure that the vendor only has the access required to service the device and nothing more. In other words, the organization is responsible for protecting its data, not the vendor.

But not all healthcare providers take this responsibility seriously. A common mistake is granting device manufacturers VPN access with open elevated privileges. In addition to weak control policies, this increases the risk of cyberattacks. Adopting a zero-trust approach to network and data access by third parties is the best way to mitigate such risks.

Medical devices Running Legacy Operating Systems and Outdated codes.

Many data breaches occur because of unpatched operating systems, applications, and software code. For example, a June 2020 survey discovered that 65% of companies running old software had suffered data breaches.

In healthcare, outdated software is a severe problem. Since medical devices usually have long lifecycles, they have been in service for years with outdated software or operating systems. As a result, security vulnerabilities remain in old, unpatched software, which increases the risk of cyber threats.

That’s why it’s critical to update and patch software in medical devices regularly. In addition, wherever software vendors no longer support a particular application, healthcare organizations must transition to different, more secure, and up-to-date software.

Third-Party Scripts and Plugins on Websites

Third-party scripts and website plugins are outside the control of a healthcare provider’s IT ecosystem. In 2019, over 93% of web pages included at least one third-party resource, so it’s virtually impossible to avoid them. However, such resources also pose a significant cyber risk, leaving the organization open to attack.

It’s essential to conduct regular vulnerability scans to identify exploitable vulnerabilities or malicious code in scripts and websites. In addition, monitor the Hypertext Transfer Protocol (HTTP) requests made by the company website to ensure that it doesn’t connect with malicious domains. Site content audits and script monitoring also help manage and minimize the risks of third-party scripts and plugins.

Access to Personally Identifiable Information

Healthcare organizations can better control access to PII through access assessment, sensitive data discovery, and classification. Access Assessment evaluates who has access to which data, how they got access, what they’re doing with it, and if they should still have access.

Sensitive data discovery is also essential to determine what information needs protecting and to what extent. Data classification involves tagging data to identify sensitive data and decide what you should implement protective controls.

Critical Elements of Third-party Risk Management in Healthcare

The overarching goal of third-party risk management in healthcare is to empower providers to minimize the risk from third parties and thus better protect their data. The program includes numerous activities that work together to strengthen their security posture.

Vendor Due Diligence

Healthcare organizations must perform due diligence on all vendors. It allows them to gauge the security risk posed by each high-risk vendor to the organization’s cybersecurity and data security. Due diligence is usually done through vendor questionnaires that assess and compare a vendor’s security setup to industry standards.

The questionnaire should include questions about the vendor’s data security practices, business recovery plans, and disaster recovery plans. In addition, their regulatory compliance with laws and industry standards like HIPAA compliance, Health Information Technology for Economic and Clinical Health (HITECH), and Payment Card Industry Data Security Standard (PCI DSS) should also be verified.

Third-party Risk Assessment

In addition to due diligence, healthcare organizations must perform a third-party risk assessment. Vendor risk assessments evaluate the relationship and risks based on their services and devise plans to address them. Your company must implement both short-term and long-term measures to eliminate immediate threats.

Assess Vendor Cyberdefense and Governance

During the assessment process, it’s vital to understand every vendor’s cyber defense and governance ecosystem by asking questions like:

• What network or perimeter security measures are in place?
• Is firewall protection used?
• Is access controlled via password-based systems or multi-factor authentication?
• Does the vendor perform penetration testing and vulnerability scans?
• Are vendor employees trained in cyber defense?
• Who is primarily responsible for IT decision-making in the vendor’s organization?
• Does the vendor outsource any IT services to fourth parties that can increase risk exposure?

Based on the information gathered from the above activities, the healthcare provider or third party must be prepared to take the required actions to eliminate any risks identified. It’s also essential to ensure that security measures required by HIPAA, HITECH, or other laws and industry standards are implemented by both the vendor and the healthcare organization.

ZenRisk is Your Third-Party Risk Expert

In the ever-growing cyber threat landscape, the healthcare industry is particularly vulnerable to bad actors looking to access healthcare systems and steal healthcare data. Additionally, as third parties play an increasingly important role in the healthcare value chain, the risk to healthcare organizations is exponential.

Healthcare organizations cannot afford a laid-back attitude toward cybersecurity and data protection. Instead, they must adopt a robust third-party risk management program with the help of a comprehensive platform like ZenRisk.

ZenRisk is an integrated risk management platform that reveals third-party risk across the entire organization. It shows where third parties are creating risk, how it is changing, and how providers can manage it to mitigate business exposure.

ZenRisk helps operationalize risk management. It simplifies compliance and regulatory efforts with automation and workflows. Schedule a demo today to learn more.