Safeguarding Healthcare Data: The Vital Role of Third-Party Risk Management

By

Safeguarding Healthcare Data: The Vital Role of Third-Party Risk Management

Recently, it seems like hospitals and healthcare providers suffer from a data breach every month, many of them due to third-party vendor vulnerabilities. The healthcare industry suffered from another data breach on March 14 when a third-party vendor responsible for managed care administration announced that a hacker stole more than 4.2 million patient records, the biggest breach of 2023 at that time¹. It’s not the first supply-chain data breach this year, and it certainly won’t be the last, mainly because the healthcare industry – and many others – are still coming to terms with the inherent risks third-party vendors bring to their organization.

Managing risk across the supply chain is much more difficult than managing your own, because you have no control over the ways a vendor manages their cybersecurity posture. Should you identify gaps in your own infrastructure security, you are free to make global changes to improve. When your vendor is not secure, the trickle-down effect from a compromise could mean that your organization suffers from the same level of damage, costing you an average of $10 million per breach². In fact, a data breach due to a third-party vendor could be just as damaging as suffering a direct hack, because the potential to affect millions of patients is still there.

What Can Third-Party Risk Management Do?

Supply-chain vulnerabilities are difficult to detect, because they could be so far up the chain that your monitoring and mitigation strategies have no visibility. You might not be able to control a vendor’s environment, but you can mitigate your own risks using third-party risk management. Third-party risk management is the policies and strategies you put in place to evaluate, review, and question business associates, contractors, vendors, consultants, manufacturers, software developers, and any other entity that has access to your patient data either directly or indirectly.

For example, you might use a SaaS application to manage patient data, or you might use a third-party vendor to host your own homegrown internal application that manages patient data. Should the vendor suffer from a compromise, your entire patient portal and database system are at risk. Depending on the compromise, your own monitoring systems might not detect malicious traffic or anomalous behavior, so you are at the mercy of the vendor’s intrusion detection system and data loss prevention capabilities. In a sophisticated attack, some vendors are unaware that they have been compromised for months, leaving your own data open to eavesdropping and exfiltration until the vendor can contain the threat.

Instead of being reactive to a third-party data breach, organizations can incorporate strategies overseeing vendor due diligence. Ideally, a vendor’s cybersecurity posture models your own and creates an environment adhering to HIPAA compliance. Due diligence involves background checks and vendor reviews meant to identify potential risks. Some businesses publish policies and submit questionnaires to vendors to ask them about their data loss prevention (DLP) strategies, backup policies, user access policies (e.g., least privilege models), guidelines around compliance (e.g., HIPAA, GDPR, PCI, or CCPA), data encryption requirements, disaster recovery plans, and incident response. The answers given by vendors could determine if they meet your own risk standards.

Because the healthcare industry must stay HIPAA compliant, third-party risk management lets you know if your vendor does what is necessary to follow best practices and protect patient data. In some cases it could be a deciding factor between two vendors, or it can give you leverage to negotiate services and require new vendors to bring their environment to compliant standards before you begin a relationship.

How Third-Party Risk Management Works

Before you attempt to manage your risk, you first need a way to quantify the risk factor for each vendor. With Access Point, we provide a customizable service for assessing risk for all your current vendors and will help you set up future policies for onboarding any vendors in the future.

Automated data collection and threat intelligence are used to determine a risk score for every vendor. The data collected spans multiple domains including dark web sites to identify if a vendor has ever been responsible for a breach. For example, if a vendor’s customer list with passwords are available for purchase, you need to know if the vendor has responded efficiently to the breach and the resulting lessons learned to stop it from happening again.

Vendor risk scores help decide on a future relationship, but you still need ongoing threat intelligence and reviews. Third-party risk management is an ongoing exercise that does not end after an initial review. Threat intelligence continually monitors the dark web for any recent events that your vendor may not even be aware of. Tailored dashboards from Access Point consultants let you view the likelihood of a data breach, a security rating for each vendor based on their cybersecurity performance, and information about patching cadence and how long it takes a vendor to apply security patches compared to others in their industry.

The vendor’s IP addresses and domains are continually monitored and scanned for any unpatched vulnerabilities, and the data collected is mapped to industry standards and cybersecurity frameworks. The dashboards are available for any stakeholder to review so that they can continually monitor and manage any potential third-party risks.

Third-party risk management is just one factor in Access Point Technology’s cyber-defense strategies used to help our clients avoid costly data breaches. It is a critical factor in the decision-making process for healthcare organizations responsible for HIPAA compliance and patient data.

To find out how Access Point Consulting can manage your third-party risks, meet with a subject matter expert.

Sources

¹ https://www.beckershospitalreview.com/cybersecurity/largest-healthcare-data-breach-reported-in-23-affects-more-than-4-2-million-patients.html

² https://www.ibm.com/reports/data-breach

Resources

Trending Articles & Security Reports

Resources

To Enhance Your Cyber Operations

The Best Cyber Defense Is Security Awareness

The Best Cyber Defense Is Security Awareness

As Cybersecurity Awareness Month winds down, we're pleased to share one last feature from Pierre Reed, the Chief of Staff at Access Point Consulting. He explores the importance of fostering a security awareness culture within organizations. Discover how building this culture can empower your team to better protect against cyber threats.

Find out more
Ransomware Readiness: Navigating the Threat to Your Business

Ransomware Readiness: Navigating the Threat to Your Business

As we conclude our 'ransomware readiness week' of this Cybersecurity Awareness Month, it's time to take a critical look at your organization's defenses. Ransomware attacks are becoming more sophisticated, and no business is immune. In our latest article, we explore essential strategies to bolster your ransomware preparedness. Don't miss this vital information to help protect your business from emerging threats.

Find out more