Reading Time: 4 minutes
As healthcare entities integrate, merge and digitally transform; organizations should consider the potential impact of third-party cyber risk on billing, healthcare operations, and patient care. Third-party risk can originate from business associates and increasingly clinical/ambulatory entities that can provide a pathway for hackers to impermissibly access critical EHR and other systems provided by the health system or payer at large. The data, applications, cloud services, medical devices, clinical capabilities, and BI systems provided by third parties that are critical to the organization must be understood to develop comprehensive risk management, incident response, contingency, and continuity plans. It is important to protect the privacy, confidentially and integrity of these critical processes.
An examination of trends from 2021 indicates that:
There are a number of takeaways from this data. Healthcare entities should perform a comprehensive risk analysis of third parties that present the highest likelihood of impact to the organization and they should maintain an accurate inventory of all third party systems, applications cloud services, integrations, network and data flows to determine the sufficiency of security and privacy controls. Healthcare organizations must understand the potential impact of third-party breaches and security incidents as part of a comprehensive business impact assessment and they should define clear incident response and business/clinical contingency plans to ensure the continuity of billing, clinical, payor, and healthcare operations. Cybersecurity best practices should be embedded in all phases of the third-party relationship lifecycle: pre-procurement through termination of the relationship. They should understand the software bill of materials provided by medical device and software vendors to mitigate threats presented by third-party use of open source technologies (i.e. Log4j). Third parties should also be included in disaster recovery tabletop exercises. The organization's workforce must be educated to ensure that third-party cyber security is part of the culture and decision-making process.
Additionally, a periodic review should be performed for sources of threat intelligence and a plan should be developed to monitor your vendor’s ability to manage the security of your data and processes. Outside services that can provide cybersecurity monitoring of third parties and periodic review of independent audits of third-party service providers should be considered.
Source: Healthcare Breach Report, Critical Insight, July-Dec 21 Security Research, and Data Analytics
These issues shouldn't be taken lightly as the threats are very real. Here are a few recent examples:
Cybersecurity should be taken seriously and resources should be dedicated to ensuring your organization is protected against third-party threats. Our Cybersecurity team specializes in healthcare security and can assess the risk for your organization and assist you in developing a go-forward plan. Contact our team today to learn how we can help you protect your organization from third-party threats.