It’s a sad fact that hospitals and health care systems continue to be a prime target for cyber criminals. But it’s the skyrocketing growth of cyberattacks on third parties such as business associates, medical device providers and supply chain vendors that currently poses one of the biggest – and often-neglected – challenges on the health care cyber risk landscape.
Fifty-five percent of health care organizations surveyed experienced a third-party data breach in the last 12 months, and seven out of the top 10 health care data breaches reported so far in 2022 involved third-party vendors. The biggest breach – which affected more than 30 health care providers and health insurance carriers, as well as 2.6 million patients – involved OneTouchPoint, a third-party mailing-and-printing vendor.
And this Top 10 list doesn’t even include other major attacks impacting health care, such as the one against Ultimate Kronos Group, the human resources and workforce management solutions provider, or Elekta, a third-party vendor of cancer treatment radiation therapy, radiosurgery and clinical management services.
Cyber criminals’ burgeoning interest in third- and fourth-party vendors makes perfect sense as part of a highly effective “hub and spoke” strategy. By gaining access to the hub (the managed service provider (MSP)) they gain access to all the spokes – the health care organizations that are the MSP’s customers. This provides the malicious actors a digital pathway to infecting multiple covered entities with malware or ransomware, or to exfiltrate data.
Beware the ramifications of rising risk
Given that one of the cyberattacks targeting a nationwide mission-critical third party this year impacted 650 health care clients by itself, the allure of third-party targets is crystal clear. This rampant risk exposure of third- and fourth-parties has cascading ramifications for both patients and health care organizations.
For example, the theft of large quantities of a covered entity’s protected or sensitive data from billing and coding vendors can lead to identify theft and other potential fraud for patients, and, subsequently, lawsuits against organizations. Or cyber criminals who target health care payment processors can use email phishing and voice social engineering techniques to impersonate victims and access accounts, costing victims millions of dollars.
The impact can extend well beyond financial and reputational damage when a life- or mission-critical business associate becomes a victim of a ransomware attack. If their technology, services or supplies become unavailable, it can disrupt or delay the delivery of critical health care and organizational operations, along with patient health and safety.
Is your third-party risk management program up to the task?
These threats underscore the urgent need for robust third-party risk management programs (TPRM) that enables you to identify, assess and mitigate cyber risk exposures from strategic and tactical perspectives. At the same time, a comprehensive approach to managing risk must also encompass detailed preparations for responding to any incidents that do occur; this enables you to assess impact, minimize downtime, support business continuity and ensure patient safety.
Here are four key strategies to bolster your defenses and strengthen your response capabilities:
- Take a hard and objective look at your existing TPRM program framework.
Review your program’s governance structure and determine whether it needs revamping. Confirm you have a complete, dynamic inventory of all third-party vendors that have access to your systems. Then make sure that your TPRM identifies, classifies and prioritizes the risks posed by these vendors as well as their subcontractors – drilling down to the level of fourth-party risk.
Some factors to consider include:
- Does the vendor support life-critical, mission-critical or business-critical functions?
- How does the vendor handle the access, storage and transmission of your organization’s sensitive data, such as protected health information, personally identifiable information, payment information, medical research and intellectual property? Does the vendor aggregate data, manage bulk storage or simply access it?
- Which sensitive data, networks, systems and physical locations can the vendor access?
- Is the vendor involved in foreign operations and/or does it hire foreign subcontractors?
- Is there embedded fourth-party software in third-party technology that amplifies vulnerabilities (such as Log4j – footnote a news reference here to medical device log4j) or creates privacy risks (such as Meta Pixel- same footnote a news reference healthcare)?
- Implement third-party risk-based controls and cyber insurance requirements based on identified risk levels.
Assess and formalize your policies and processes for incorporating cybersecurity into third-party risk management. These should include conducting periodic in-depth technical, legal, policy and procedural reviews of the TPRM program and business associate agreement (BAA). The BAA should include cybersecurity and cyber insurance requirements for the vendor and subcontractors, which scale with the level of risk presented by each business associate.
In addition, implement annual policy and procedure cyber risk assessments for vendors, as well as annual vulnerability and penetration testing assessments. Other best practices include:
- Identify and disable accounts no longer used.
- Consistently enforce multi-factor authentication on MSP accounts with access to your environment and monitor carefully.
- Require all BAA contracts to transparently identify ownership of information and communications technology (ICT) security roles and responsibilities, foreign affiliations, and foreign access to data and networks; verify that these contractual MSP cybersecurity measures align with your organization’s security requirements.
- Ensure third-party vendors meet applicable regulatory compliance requirements for protected health information, payment information, personally identifiable information, tax-funded medical research and other protected data.
- Consistently and clearly communicate third-party risk management policies, procedures and requirements internally.
Every individual, department and business unit within your organization that purchases technology, services and supplies should be educated about your organizational cybersecurity requirements for third parties and the potential cybersecurity risks to the organization that is involved in work using third-party vendors.
In some instances, it may be necessary to balance financial opportunities and greater supply chain flexibility with the potentially higher levels of cyber risk associated with particular vendors. This will require higher risk tolerance and risk acceptance by the impacted business unit and the organization. It is recommended that an organizational governance process be established so that an individual business unit does not have the authority to make a unilateral decision on third party cyber risk acceptance (which could place the entire organization at risk).
- Prepare intensively for incident response and recovery.
The frequency and intensity of cyberattacks, coupled with the challenge of monitoring and detecting third-party threats, means the likelihood of an incident is high despite best efforts to mitigate risk. Because health care sector cyberattacks can directly result in the delay and disruption of care delivery, patient safety is at risk; it is therefore imperative to adopt clinical and business continuity plans, along with downtime procedures for life-critical and mission-critical functions.
First and foremost, it is necessary on an ongoing basis to implement a process to identify all internal, as well as external, third-party and supply chain providers of life- and mission-critical functions, services and technology. It is also important to identify which organizations or other providers depend on your organization for essential services. Which healthcare providers depend upon the availability of your technology, services, networks and data? In essence, to whom are you a life-critical and mission-critical service provider? What is the contingency plan for these dependent organizations, should you be disconnected from the internet and go “digitally dark?” What impact will there be by on your services if you are victim to a ransomware attack?
Second, make sure these functions, services and technology, should a cyberattack disable them, are sufficiently backed up and prioritized for restoration on an enterprise level. Develop clinical, operational and business continuity plans and downtime procedures for each of the internal and external dependencies. Ideally, these procedures should be able to sustain for up to four weeks the life- and mission-critical function without significant impact or degradation of quality.
Third, train staff to execute these plans proficiently. Conduct regular downtime drills and cyberattack exercises for a variety of scenarios at the individual, departmental and enterprise level, and invite your third-party vendors to participate.
Last, but not least, incorporate your cyber incident response plan into the overall incident response plan, and incorporate the business continuity plans and downtime procedures into the overall incident command and emergency preparedness functions.
Act strategically to rein in your risk exposure
To learn more about how the AHA can help you to strategically manage your third- and fourth-party cyber risk and protect your patients by minimizing the downtime impact if cyberattacks should occur, visit aha.org/cybersecurity or contact me at jriggi@aha. org.