It’s unavoidable—interconnected nature of healthcare today makes it so that your organization is inherently reliant on all sorts of other organizations. Every provider in modern healthcare relies on dozens of others.
We have frameworks put in place for data exchanges and expectations for how patient data is treated, just as one example of how dependent we have become with other organizations—those in the private and public sectors, alike.
Our supply and distribution chains, and even other services like billing, accounting and social media marketing are all inter-connected across organizations.
Third Parties Come With Added Risks
Some hospitals are extremely concerned about their risks with third party vendors. Are they doing what they’re saying? Will they really abide by their business associate’s agreement (BAA)? Are they taking necessary network and computing requirements to ensure that their handling of your data is sufficient to keeping your records un-breached?
Does anyone have trusted access onto your network?
Attackers may not need to breach well-protected internal servers if they have other access to your network. [Note: there still are many considerations with protecting your network that many hospital systems overlook or don’t get around to.]
If a third party deems something necessary—like administrative access to your network in order to occasionally configure or reconfigure something, will you give them that access? In our experience, you will more than not.
But what if something happens to that vendor? They have open access to your network and your data. You have given them a certain level of trust on your network—trust that you probably don’t even give to team members that have worked at your organization for ten or more years.
It might be easier for a hacker to simply compromise a third party’s network and hop over to your network than to even try and directly attack you.
Hackers have started seriously directing their efforts at healthcare, mainly because healthcare records are worth a LOT more money than other types of personal information. The reason? Medical procedures are growingly expensive. Health records are also very detailed. Fraudulent filings are hard to detect (billers are not doing anything nearly advanced as a bank detecting credit card fraud—which takes less than 30 seconds to detect). Take home: hackers want health records and will find ways to get in through your third party vendors.
We have seen this over the past years with hospitals and clinics getting infected with ransomware attacks the likes of WannaCry. But we’ve also seen breaches in big enterprise companies, the likes of Delta, Best Buy and Target, all having critical breaches as a result of third party vendors.
How to overcome liabilities with third parties?
Get a third party risk assessment.
The first step to figuring out your risks along your supply chain—and data chain—is to identify all of the vendors you are working with. Get a working list of all of your outgoing payments across the last year and audit your network to see which ones have any sort of access to your network. Get a list of ALL of your users on your facility’s active directory and figure out who has what access and whether that accessibility makes sense. You might be surprised how many vendors your organization are actually hiring. Once you’ve figured out who, prioritize and determine what level of due diligence they require in terms of their risks to your network security, data security, and data integrity [NOTE: don’t discredit organizations that don’t have access to specific data, such as cleaning services—they have physical access to a lot going on in your facility, including discarded data].
Prioritize ALL of your vendors—make sure you understand why they are on your payroll. Do you share data with them? Do they have access to your facility?
Not all business associates or third party vendors are created equal. Some may not require much follow up, but some—even some you don’t anticipate—may need to be reassessed. Your groundskeeper, mainly has access to maintain the physical plants and grass surrounding your facility probably has limited access to any important information, and likely doesn’t have any access to IT infrastructure, except to occasionally email you your monthly invoice. Understanding what your vendors do and what they are accessing of on premises can give you enough information to decide whether you need to follow up with them in terms of data accessibility.
Of the organizations that do have risks on your data, you need to assume that none of your security controls are keeping your data secure. Evaluate each control—password changes for example—to ensure that each control is being met. Your biggest goal in assessing your vendors is to determine who to assess and at what level.
Next, categorize your vendors—put vendors into risk bins (for instance, High, Medium or Low risk). Then assess them accordingly. Have a very rigorous evaluation for any High risk vendors. If they are accessing data and have access to your network, these vendors need routine review! If they have access to data that you send out, know you are responsible in cases of breaches (you might want to at least make sure your data is being maintained in a way they are committing to in your BAA. If there are vendors that are high risk and not abiding by your security expectations should give you grounds to terminate your contract (you should seriously consider doing this for folks not taking you and your organization’s data seriously!).
One last word of advice:
It’s important to remember that you don’t have to go at this alone. Managing your cyber risks is complicated and might be hard to grapple. There are solutions out there designated to evaluate your entire risk. Engage someone that understands healthcare supply chain and can work with you to punch down on the entire landscape of risk (in our experience, these risks are growing year after year, so starting sooner than later will help you get a handle on your data risks before they get out of hand).
