Recently, it seems like hospitals and healthcare providers suffer from a data breach every month, many of them due to third-party vendor vulnerabilities. The healthcare industry suffered from another data breach on March 14 when a third-party vendor responsible for managed care administration announced that a hacker stole more than 4.2 million patient records, the biggest breach of 2023 at that time¹. It’s not the first supply-chain data breach this year, and it certainly won’t be the last, mainly because the healthcare industry – and many others – are still coming to terms with the inherent risks third-party vendors bring to their organization.
Managing risk across the supply chain is much more difficult than managing your own, because you have no control over the ways a vendor manages their cybersecurity posture. Should you identify gaps in your own infrastructure security, you are free to make global changes to improve. When your vendor is not secure, the trickle-down effect from a compromise could mean that your organization suffers from the same level of damage, costing you an average of $10 million per breach². In fact, a data breach due to a third-party vendor could be just as damaging as suffering a direct hack, because the potential to affect millions of patients is still there.
Supply-chain vulnerabilities are difficult to detect, because they could be so far up the chain that your monitoring and mitigation strategies have no visibility. You might not be able to control a vendor’s environment, but you can mitigate your own risks using third-party risk management. Third-party risk management is the policies and strategies you put in place to evaluate, review, and question business associates, contractors, vendors, consultants, manufacturers, software developers, and any other entity that has access to your patient data either directly or indirectly.
For example, you might use a SaaS application to manage patient data, or you might use a third-party vendor to host your own homegrown internal application that manages patient data. Should the vendor suffer from a compromise, your entire patient portal and database system are at risk. Depending on the compromise, your own monitoring systems might not detect malicious traffic or anomalous behavior, so you are at the mercy of the vendor’s intrusion detection system and data loss prevention capabilities. In a sophisticated attack, some vendors are unaware that they have been compromised for months, leaving your own data open to eavesdropping and exfiltration until the vendor can contain the threat.
Instead of being reactive to a third-party data breach, organizations can incorporate strategies overseeing vendor due diligence. Ideally, a vendor’s cybersecurity posture models your own and creates an environment adhering to HIPAA compliance. Due diligence involves background checks and vendor reviews meant to identify potential risks. Some businesses publish policies and submit questionnaires to vendors to ask them about their data loss prevention (DLP) strategies, backup policies, user access policies (e.g., least privilege models), guidelines around compliance (e.g., HIPAA, GDPR, PCI, or CCPA), data encryption requirements, disaster recovery plans, and incident response. The answers given by vendors could determine if they meet your own risk standards.
Because the healthcare industry must stay HIPAA compliant, third-party risk management lets you know if your vendor does what is necessary to follow best practices and protect patient data. In some cases it could be a deciding factor between two vendors, or it can give you leverage to negotiate services and require new vendors to bring their environment to compliant standards before you begin a relationship.
Before you attempt to manage your risk, you first need a way to quantify the risk factor for each vendor. With Access Point, we provide a customizable service for assessing risk for all your current vendors and will help you set up future policies for onboarding any vendors in the future.
Automated data collection and threat intelligence are used to determine a risk score for every vendor. The data collected spans multiple domains including dark web sites to identify if a vendor has ever been responsible for a breach. For example, if a vendor’s customer list with passwords are available for purchase, you need to know if the vendor has responded efficiently to the breach and the resulting lessons learned to stop it from happening again.
Vendor risk scores help decide on a future relationship, but you still need ongoing threat intelligence and reviews. Third-party risk management is an ongoing exercise that does not end after an initial review. Threat intelligence continually monitors the dark web for any recent events that your vendor may not even be aware of. Tailored dashboards from Access Point consultants let you view the likelihood of a data breach, a security rating for each vendor based on their cybersecurity performance, and information about patching cadence and how long it takes a vendor to apply security patches compared to others in their industry.
The vendor’s IP addresses and domains are continually monitored and scanned for any unpatched vulnerabilities, and the data collected is mapped to industry standards and cybersecurity frameworks. The dashboards are available for any stakeholder to review so that they can continually monitor and manage any potential third-party risks.
Third-party risk management is just one factor in Access Point Technology’s cyber-defense strategies used to help our clients avoid costly data breaches. It is a critical factor in the decision-making process for healthcare organizations responsible for HIPAA compliance and patient data.
To find out how Access Point Consulting can manage your third-party risks, meet with a subject matter expert.
¹ https://www.beckershospitalreview.com/cybersecurity/largest-healthcare-data-breach-reported-in-23-affects-more-than-4-2-million-patients.html
² https://www.ibm.com/reports/data-breach
Last month, NIST published its first set of post-quantum cryptography (PQC) standards, setting a new benchmark for enterprises, government agencies, and vendors to withstand future cyberattacks from quantum computers. The time to start transitioning is now. Discover what’s at stake with CyberWatch.
Hospitals and healthcare providers have increasingly become targets of cyberattacks, which pose significant risks to patient care and safety. This document examines the various ways in which cyberattacks can disrupt hospital operations, compromise patient data security, and ultimately affect the quality of patient care. It also explores strategies and best practices that hospitals can implement to mitigate these risks and enhance their cybersecurity posture.
Ethical hacking has become an essential response to an IT industry kept on its toes by a spectrum of bad actors with malicious intent. This article introduces two prominent methodologies that help the good guys fight back: penetration testing (pen-testing) and red teaming. Learn more here.
Host Geoff Hancock was joined by guests Mike Rush, Director of Threat Intelligence at Access Point Consulting; and Evie Manning, Senior Director of Threat Hunting and Intelligence at Access Point Consulting. Together, they talked about cyber threat intelligence and the applications that can make it work for small and medium-sized businesses.
