Why Vendors Need to Defend Highly Targeted Healthcare Providers from Third-Party Risk
Post Summary
Healthcare data is highly valuable, with a single medical record worth up to $250 on the black market, making healthcare the most targeted industry for cyberattacks.
Hackers often target third-party vendors, who manage critical systems such as electronic health records, medical devices, payroll, and cybersecurity.
Risk assessments have historically been manual, time-consuming, and inefficient. They take an average of eight or more weeks to complete and become outdated quickly due to frequent product updates and evolving cyber threats.
Adopt technology to digitize and streamline risk assessments. Provide real-time updates to risk profiles for product patches, vulnerabilities, and upgrades. Conduct regular cybersecurity training for all employees to minimize human error and prevent phishing attacks.
Standardized assessments based on NIST standards. Improved visibility and collaboration between vendors and healthcare providers. Faster responses to risk assessment requests with one-click updates. More time for vendors to focus on supporting healthcare providers and improving patient care.
Healthcare data is highly valuable, as just one medical record can be worth up to $250 on the black market (compared to $5.40 for the next highest valued record). As a result, the healthcare industry continues to be the most targeted industry by hackers, with an increasing numberof reported breaches occurring year over year.
To gain access to healthcare providers’ sensitive information, hackers often target third-party healthcare vendors – the electronic lifeblood of a healthcare system. These partners (an average of 1,000 vendors per hospital) are crucial to healthcare providers as they help to manage everything from patient electronic health records and life-sustaining medical devices, to payroll and cybersecurity. This is why it’s no surprise that 68 percent of third-party vendor organizations reportedly experienced a security incident in 2018, and in a domino effect, 20 percent of healthcare organizations were compromised throughout the year.
Third-party healthcare software vendors have a responsibility to their clients, as they are trusted with access to their network and sensitive data. With this trust and operational responsibility comes the need to identify, assess and remediate potential third-party vendor risks to the privacy and security of protected health and confidential information in a frequent and transparent way: third-party risk assessments.
Unfortunately, the process of conducting third-party assessments is incredibly inefficient and expensive for both vendors and healthcare providers. Due to a lack of resources, historically, these assessments have been manual, time-consuming, and non-repeatable. On average, they take eight or more weeks to finalize, and even after that, many are outdated almost as soon as they are completed as a result of dynamic product updates, environmental configurations, and cyber threats that change much more frequently than in the past.
This is why providers have started utilizing online platforms to modernize the risk assessment process, enabling them to take a more streamlined and efficient approach – and their vendors are benefiting as well. The era of manual spreadsheets is over. Providers are turning to technology that digitizes risk assessments and creates a more collaborative process that improves visibility for providers and their third-party vendors or suppliers. With this, comes the ability for vendors to:
- Complete and reuse standardized risk assessments based on NIST standards
- Control who has access to their risk assessments in real time
- Access and manage all product and service risk assessments (including all supporting evidence) from a single pane of glass
- Respond to subsequent assessment requests with one click
- Update any changes to their risk profile in real-time based on product
patches, minor, and major upgrades, vulnerabilities, etc. - Spend more time supporting their healthcare providers
Beyond adopting technology solutions, there are several common sense strategies that third-party healthcare vendors and other third parties can use to ensure they’re not putting providers at risk. This includes the need for internal education, regular cybersecurity training for all employees, and awareness campaigns designed to let all employees know about the threats that are out there. The threat landscape is constantly changing as attackers look for new exploits, and it shouldn’t just be up to cybersecurity and IT staff to help keep the company secure. Attackers often target individual employees through phishing attacks and other exploits, and it’s critical for all companies to take a security-first approach.
It’s critical that third-party vendors take responsibility for the risk they might potentially introduce to their clients. Through making an effort to effectively manage and reduce these threats and modernizing antiquated processes that evaluate and pinpoint areas of vulnerability, providers and vendors can get back to focusing on their main priority – servicing customers and delivering the highest quality of care.
Click here to get your copy of the Censinet White Paper “Healthcare Third-Party Vendor Risk Management in the 21st Century” and learn more about the problems in current healthcare third-party vendor risk management and demonstrate how a collaborative cloud platform like Censinet automates third-party vendor risk management securely and efficiently.
This article was originally published in the June 2019 edition of Insight, CHIME& Foundation’s monthly newsletter. Written approval from CHIME must be received in order to repost.
Key Points:
Why is healthcare data so valuable to hackers?
- Healthcare data is highly valuable, with a single medical record worth up to $250 on the black market, compared to $5.40 for the next highest-valued record.
- Medical records contain sensitive personal, financial, and medical information, making them ideal for identity theft or fraudulent activities.
How do hackers target healthcare providers?
- Hackers often gain access to healthcare providers’ sensitive data by targeting third-party vendors, who manage critical systems such as electronic health records, medical devices, payroll, and cybersecurity.
- With an average of 1,000 vendors per hospital, each vendor introduces potential vulnerabilities into the healthcare ecosystem.
Why are traditional third-party risk assessments failing?
- Manual processes: Historically, risk assessments have relied on spreadsheets, which are time-consuming and inefficient.
- Lengthy timelines: Assessments take an average of eight or more weeks to finalize.
- Outdated assessments: Due to frequent product updates, environmental changes, and evolving cyber threats, many assessments become obsolete almost immediately after completion.
- Lack of resources: Both vendors and providers struggle with inadequate resources to make the process efficient and repeatable.
How can healthcare providers and vendors modernize the risk assessment process?
- Adopt technology to digitize risk assessments, enabling faster and more efficient processes.
- Use tools that allow vendors to:
- Complete and reuse standardized assessments (based on NIST standards).
- Provide real-time updates to risk profiles for product patches, vulnerabilities, and upgrades.
- Manage all product and service assessments from a single, centralized platform.
- Respond to assessment requests with one-click updates.
- Focus on creating a collaborative process that improves visibility for both providers and vendors.
What role does cybersecurity training play in reducing third-party risks?
- Regular cybersecurity training ensures all employees understand evolving threats, such as phishing attacks and other exploits.
- Attackers often target individual employees, making it critical for vendors to adopt a security-first approach across their organizations.
- Training empowers employees to recognize threats and take proactive measures to protect sensitive data.
Why must third-party vendors take responsibility for risk management?
- Vendors have access to healthcare providers’ networks and sensitive data, making them critical to the overall security ecosystem.
- By effectively managing and reducing risks, vendors can protect their clients from costly breaches and maintain trust.
- Vendors must prioritize transparency and collaboration with providers to ensure risks are identified, assessed, and remediated efficiently.
What are the benefits of modernizing third-party risk assessments?
- Efficiency: Digitized assessments save time, reduce manual errors, and streamline workflows.
- Collaboration: Providers and vendors can work together more effectively to address vulnerabilities.
- Real-time updates: Vendors can keep risk profiles up-to-date with product changes, patches, and upgrades.
- Improved focus: Vendors can spend more time supporting healthcare providers and improving patient care, instead of being bogged down by inefficient processes.
What is the ultimate goal of improving third-party risk management?
- To create a secure healthcare ecosystem that protects patient data and reduces vulnerabilities.
- To enable healthcare providers and vendors to focus on delivering high-quality care rather than being slowed down by inefficient processes.
- To foster a culture of collaboration and transparency between healthcare providers and their third-party vendors.
- To ensure all parties work together to proactively address risks and adapt to the constantly changing threat landscape.
