Third-party risk management critical to protecting against cyberattack

In a recent survey, more than half of healthcare organizations reported a third-party data breach in 2022. Worse, 70% of those third-party breaches were caused by granting third parties too much remote access.

While third-party access to organizational data and network resources is critical for hospitals to function properly in an increasingly vendor-supported environment, many organizations fail to secure those connections. Often healthcare risk management programs fail to address security surrounding their third parties due to a lack of automation, partial or non-deployment of security controls, and the time and resources required for conducting risk assessments. According to breach data from the Office for Civil Rights, a business associate (BA) is present in 36% of healthcare breaches, a percentage that has held steady over the past few years. In addition, BAs are directly responsible for 18% of all breaches, a percentage that is increasing and many of those third-party services involve cloud-hosted solutions.

A significant example of a third-party breach affecting healthcare operations occurred in December 2021, when HR and payroll company Kronos reported a data breach affecting more than eight million customer employees. The breach impacted multiple companies across numerous industries, such as FedEx, Whole Foods, the city of Cleveland, and PepsiCo. The outage included a cloud-based product specifically designed for the 24/7/365 nature of healthcare and used in settings from small rural hospitals to academic medical centers and large healthcare systems. While healthcare was slower than many industries in moving IT services to the cloud, the modern hospital cannot function without cloud-based services for everything from EHR and PACS to bed management software, medical devices, procurement software, heating and air systems, and much more. Each of those connections presents a potential entry point for bad actors to infiltrate the hospital infrastructure ecosystem and look for ways to move to other systems where sensitive data is stored.

Best practices necessitate a comprehensive third-party risk management (TPRM) program that’s integrated across the organization and throughout the lifecycle of business relationships. This lifecycle begins during vendor selection, continues through onboarding, and only ends when the business associate finishes its relationship with your organization – which should only happen upon and only after completing a checklist of security precautions designed to remove all access to your systems. Continuous monitoring and re-assessment are critical for effective TPRM to identify security breaches and respond to changes in vendors’ security postures. Holding vendors accountable for remediating their security gaps is key to minimizing the likelihood of external risks impacting the organization.

Identifying which vendors to assess initially as part of the TPRM program should consider a broad range of risk factors. Systems that facilitate patient care, require an elevated level of availability, store, process, or transmit sensitive data, or support critical business processes should be included within third-party risk management. Think EHR, lab systems, pharmacy, imaging, OR/ER systems, and communications. But sooner, rather than later, every third-party system connected to your network or handling sensitive data must be evaluated. The evaluation process includes contacting each vendor and documenting their security practices as they relate to your organization. If they are not sufficiently secure, what steps are required to bring them into compliance? Chasing down vendors, reviewing documentation, verifying attestations, documenting risks and corrective action plans, conducting follow-up evaluations, and monitoring ongoing connections can stress even the largest health systems.

To help with the rigorous process of evaluating third-party vendors, more and more organizations use managed security services providers (MSSP) to perform TPRM services. Fortified’s As such, it’s important that the MSSP your hospital or health system selects includes a TPRM assessment methodology is based on industry-accepted frameworks and relevant regulatory requirements that ensure vendor assessments are executed and evaluated consistently.

Third-party risk management is a critical component of any healthcare organization’s overall cybersecurity program. Healthcare organizations serious about protecting patient data need to establish safeguards that extend beyond their own walls to include these important third parties in an effort to help industry stakeholders protect their data, mitigate and manage risk, and empower third party relationships.

Melissa Adams is Director of Assessment Services and Daniel Hudgins is Service Lead of Third-Party Risk Management at Fortified Health Security. The company recently released the “2023 Horizon Report” on the state of cybersecurity in healthcare.