Editor's Note: This article was originally published on spiceworks.com.
Healthcare organizations possess highly sensitive data, making them targets for cyber threats. While they prioritize cybersecurity, their third-party partners may not. Alastair Parr of Prevalent suggests concrete steps to reduce this risk.
Healthcare today is digital, and the interconnectedness of physicians, patients, payers, and providers has opened exciting new opportunities to deliver a higher quality of care to more people at a lower cost.
However, with new opportunities come new risks. When it comes to the risks facing our increasingly connected and AI-enabled healthcare system, administrators, policymakers, and other important stakeholders have only just begun to understand and address them. A digital and on-demand health system can be great – but only if malicious actors cannot breach the barriers and make off with some of Earth’s most valuable and sensitive information: medical, financial, and personally identifiable data.
While healthcare systems have their cybersecurity programs in place, they can’t necessarily say the same about the large and growing number of outside organizations they connect to. The vast majority of the time, they simply don’t know what steps their third-party partners (also known as business associates) have taken to keep the wolves from the door.
But as time goes on, they will need to learn. Fortunately, there are steps that healthcare organizations can take to minimize third-party risk. It’s imperative for them to take action to avoid becoming the next headline, illustrating the consequences of learning this lesson the hard way.
Healthcare organizations face multiple challenges in managing third-party risks, including the complexity of vendor relationships, the interconnected nature of healthcare systems, the evolving cybersecurity threat landscape, and the sheer volume of attacks. Specifically, these organizations must contend with the rapid adoption of electronic health records, the proliferation of IoT devices, and reliance on business associates to deliver critical functions.
These factors contribute to the heightened risk of cyberattacks originating from vendor relationships, necessitating robust third-party risk management strategies. Those lacking strategies risk turning into cautionary tales.
For example, the Perry Johnson & Associates (PJ&A) breach shows what can happen with inadequate security controls among healthcare organizations’ business associates. This medical transcription vendor experienced a cyber-attack in 2023 that exposed more than 9,000,000 of its hospital customers’ personal information.
Although PJ&A’s customers have not reported cyberattacks against their organizations as a result of this incident, multiple PJ&A customers – including Chicago’s Cook County Health (CCH), Northwell Health (New York’s largest healthcare provider), Bon Secours Mercy Health, and North Kansas City Hospital – have all announced that their patients’ data was compromised as part of the incident. This has spurred several class action lawsuits against Northwell Health, alleging they failed to protect patient data because of the breach. North Kansas City Hospital has also cut ties with PJ&A following the incident.
Additionally, the leaking of sensitive personal information from HCA Healthcare was tied to inadequate security controls among business associates, compromising millions of patient records.
These incidents highlight the critical importance of implementing stringent security measures and conducting thorough due diligence when engaging with third-party vendors in the healthcare industry, lest the victims face regulatory scrutiny, financial loss, or reputational damage beyond repair.
Healthcare organizations are subject to various regulatory frameworks and risk management standards, such as HIPAA (Health Insurance Portability and Accountability Act). HIPAA mandates specific requirements for safeguarding protected health information (PHI) and managing third-party business associate relationships.
Compliance requires healthcare organizations to implement robust risk management strategies, including conducting risk assessments, implementing security controls, and ensuring compliance with contractual obligations and regulatory requirements. NIST SP 800-66 is a framework developed to help healthcare delivery organizations (HDOs) understand the HIPAA Security Rule and provide a framework to support its implementation.
These are a few rules of the road as healthcare grows more digital and connected by the day. Health organizations must adhere to them while keeping sight of the steps they must take to minimize the risk of doing business with other organizations.
These organizations can begin by building a centralized inventory of all third parties, one that includes
This approach facilitates effective business associate risk management governance by enhancing risk awareness across the organization, providing valuable centralized context for informed sourcing and selection decisions, and streamlining third-party vendor and supplier management processes.
Healthcare organizations must also address the risks of concentrating too much activity on too few pieces of technology, which we call concentration risk. This risk multiplies with the addition of new business partners.
Healthcare organizations can identify potential technology concentration risks within their business associate ecosystem by mapping fourth-party technologies in use among third-party vendors and conducting targeted assessments or using passive scanning to uncover additional relationships that might pose concentration risks. In the case of a software supply chain attack or cybersecurity incident impacting a commonly used piece of software, having an inventory of which third parties utilize that technology can be helpful to mitigate potential exposures.
To mitigate these risks effectively, organizations should prioritize vendors for assessment based on their reliance on critical technologies, evaluate potential vulnerabilities, and implement remediation measures to address identified risks. Additionally, organizations should diversify their vendor portfolio and adopt a risk-based approach to vendor management to reduce technology concentration risks.
Once some basic risk-management guardrails are established, healthcare-related organizations need to monitor for potential threats on an ongoing basis.
Several strategies will help monitor business associates for cyberattacks and proactively mitigate emerging threats. These include monitoring Dark Web criminal forums, threat feeds, code repositories, and vulnerability databases for signs of impending or active security incidents.
Additionally, organizations should leverage solutions that consolidate insights across multiple risk domains and present them enterprise-wide, enabling the correlation of monitoring data with assessment results and the establishment of a unified risk register for each vendor. As a part of that, organizations should integrate third-party operational, reputational, and financial data into business associate monitoring to provide context to cyber findings and measure the business impact of incidents over time. Finally, healthcare organizations should consider using AI tools that simplify data analysis to spot threats or offer risk-based guidance to speed up remediation.
When it comes to the organizations that handle the most sensitive and potentially valuable information in the world, shoring up defenses against data breaches is a job that never truly ends. It’s a task that will increasingly broaden to auditing the security practices of business associates and partners.
It’s never too soon to take the proper steps to make this happen, as organizations that can fully trust their business associates are the ones who will prosper while being done right by patients and doctors.