It’s a sad fact that hospitals and healthcare systems continue to be a prime target for cybercriminals. But it’s the rapid increase in cyberattacks targeting third parties, such as business partners, medical device vendors, and supply chain providers, that present one of the greatest – and often neglected – challenges facing the healthcare cyber risk landscape.
Fifty-five percent of healthcare organizations surveyed experienced a third-party data breach in the past 12 months, and seven of the top 10 healthcare data breaches reported so far in 2022 involved third-party providers. The largest breach – affecting more than 30 healthcare providers and health insurance carriers and 2.6 million patients – involved OneTouchPoint, an external mailing and printing provider.
And that top 10 list doesn’t even include other big attacks that impact healthcare, like the one against Ultimate Kronos Group, the provider of human resources and workforce management solutions, or Elekta, a third-party cancer treatment provider, radiation therapy and radiosurgery and clinical management services.
Cybercriminals’ growing interest in third- and fourth-party providers makes perfect sense as part of a highly effective “hub and spoke” strategy. Access to the hub (the Managed Service Provider (MSP)) gives them access to all spokes – the healthcare organizations that are the customers of the MSP. This provides a digital path for the malicious actors to infect multiple covered entities with malware or ransomware or to exfiltrate data.
Beware of the effects of increasing risk
Given that one of the cyberattacks targeting a nationwide mission-critical third party this year alone affected 650 healthcare customers, the appeal of third-party targets is crystal clear. This widespread third- and fourth-party risk exposure has far-reaching implications for both patients and healthcare organizations.
For example, the theft of large amounts of proprietary or sensitive data from an affected entity from billing and coding providers can lead to the identification of theft and other potential fraud cases for patients, and subsequent lawsuits against organizations. Or cybercriminals targeting healthcare payment processors can use email phishing and voice social engineering techniques to impersonate victims and gain access to accounts, costing victims millions of dollars.
The impact can go well beyond financial and reputational damage when a life or business-critical business partner falls victim to a ransomware attack. When their technology, services or consumables are unavailable, it can disrupt or delay the delivery of critical healthcare and organizational operations, as well as the health and safety of patients.
Is your third-party risk management program up to the task?
These threats underscore the urgent need for robust third-party risk management (TPRM) programs that enable you to identify, assess, and mitigate cyber risk from a strategic and tactical perspective. At the same time, a comprehensive approach to risk management must also include detailed preparations for responding to incidents as they arise; This allows you to assess impact, minimize downtime, support business continuity and ensure patient safety.
Here are four key strategies to boost your defenses and boost your responsiveness:
- Take a close and objective look at your existing TPRM program framework.
Review your program’s governance structure and determine if it needs to be revised. Confirm that you have a complete, dynamic inventory of all third parties that have access to your systems. Then ensure your TPRM identifies, classifies, and prioritizes the risks posed by those vendors and their subcontractors, right down to fourth-party risk.
Some factors to consider are:
- Does the provider support life-critical, mission-critical, or business-critical functions?
- How does the provider manage the access, storage and transmission of your company’s sensitive data, such as E.g. protected health information, personal data, payment information, medical research and intellectual property? Does the provider aggregate data, manage mass storage, or simply access it?
- What sensitive data, networks, systems and physical locations can the provider access?
- Is the supplier involved in foreign business and/or does he commission foreign subcontractors?
- Is there third-party software embedded in the third-party technology that amplifies vulnerabilities (like Log4j – footnote a news reference here on Log4j for medical devices) or creates privacy risks (like Meta Pixel – same footnote a news reference Healthcare)?
- Implement risk-based controls and third-party cyber insurance requirements based on identified risk levels.
Assess and formalize your policies and processes for incorporating cybersecurity into third-party risk management. These should include conducting regular in-depth technical, legal, policy and procedural reviews of the TPRM program and the Business Associate Agreement (BAA). The BAA should include cyber security and cyber insurance requirements for the vendor and subcontractors, adapting to each business partner’s level of risk.
Also, implement annual cyber risk assessments for policies and procedures, and annual assessments of vulnerability and penetration testing. Other best practices include:
- Identify and deactivate accounts that are no longer used.
- Consistently enforce and carefully monitor multi-factor authentication on MSP accounts with access to your environment.
- Require all BAA contracts to transparently identify ownership of information and communications technology (ICT) security roles and responsibilities, foreign affiliations, and foreign access to data and networks; Ensure that these contractual MSP cybersecurity measures align with your organization’s security requirements.
- Ensure third-party providers meet applicable regulatory compliance requirements for protected health information, payment information, personal information, tax-funded medical research, and other protected information.
- Consistently and clearly communicate third-party risk management policies, procedures, and requirements internally.
Every individual, department, and business unit in your organization that purchases technology, services, and consumables should be educated on your organizational third-party cybersecurity requirements and the potential cybersecurity risks to the organization involved in working with third-parties.
In some cases, there may be a need to balance financial capabilities and greater supply chain flexibility with the potentially higher cyber risks of certain vendors. This requires a higher level of risk tolerance and risk acceptance by the affected business unit and organization. It is recommended to have an organizational governance process in place so that a single business unit does not have the authority to make a unilateral decision on the acceptance of cyber risks by third parties (which could put the entire organization at risk).
- Prepare extensively for incident response and recovery.
The frequency and intensity of cyberattacks, coupled with the challenge of monitoring and detecting third-party threats, means that despite best mitigation efforts, the likelihood of an incident is high. Because healthcare cyberattacks can directly cause delays and disruptions in healthcare, patient safety is at risk; It is therefore imperative to adopt clinical and business continuity plans and downtime procedures for life-critical and mission-critical functions.
First and foremost, it is necessary to continuously implement a process to identify all internal, as well as external, third-party and supply chain providers of life and mission-critical functions, services and technologies. It is also important to identify which organizations or other providers depend on your organization for essential services. Which healthcare providers depend on the availability of their technology, services, networks and data? Essentially, who are you a life and mission critical service provider to? What is the contingency plan for these dependent organizations should they become disconnected from the internet and go “digital dark”? What impact will this have on your services if you fall victim to a ransomware attack?
Second, ensure that should these functions, services, and technologies be disabled by a cyberattack, they are adequately secured and prioritized for enterprise-level recovery. Develop clinical, operational and operational continuity plans and downtime procedures for all internal and external dependencies. Ideally, these procedures should be able to maintain life and mission-critical functionality for up to four weeks without significant degradation or degradation.
Third, train staff to competently execute these plans. Conduct regular downtime and cyberattack drills for a variety of scenarios at the individual, departmental, and enterprise levels, and invite your third-party providers to participate.
Finally, integrate your cyber incident response plan with the overall incident response plan, and integrate business continuity plans and downtime procedures with overall incident control and emergency preparedness functions.
Act strategically to manage your risk exposure
To learn more about how the AHA can help you strategically manage your third- and fourth-party cyber risk and protect your patients by minimizing the impact of downtime should cyber attacks occur, visit aha.org/cybersecurity or contact me at jriggi@aha. org.