The State of Security Threats in Healthcare’s Third-Party Vendor Relationships
Hospitals and healthcare organizations must rely on the indispensable services of interconnected technology and third-party vendors for day-to-day operations; however, these necessary components often present unique security risks. As the healthcare industry continues to advance, new strategies, tools, and safeguards must be developed to reduce risks and mitigate threats to highly sought after healthcare data. In order to establish an effective data protection strategy that is unique to the challenges of healthcare cybersecurity and to defend important patient records as well as IT and corporate data, it is essential to continuously assess security threats facing healthcare.
Consequences of Unmanaged Risk
Although the ultimate goal of an effective cybersecurity system is to prevent any intrusions, the reality is that data breaches are inevitable. You know all too well what could happen if a hacker circumvents your current security measures. Hackers can wreak havoc on a hospital business with ransomware, IT data theft, and other types of manipulation. According to an alarming statistic released by the HIPAA Journal, there have been 2,546 healthcare data breaches reported between 2009 and 2018. In total, 189,945,874 healthcare records were stolen or exposed, equating to roughly more than 59% of the entire population of the United States. Identity theft, illegally obtained prescription medications, and access to health insurance provider information can all negatively affect patients, but direct attacks on healthcare organizations should be the highest concern when it comes to anticipating risks. These attacks have the capacity to cause harm to patients, tarnish an organization's reputation, and result in financial losses due to data ransoms and fines levied by the Office of Civil Rights (OCR) for non-compliance of properly securing Protected Health Information (PHI).
Technological Advancements in Healthcare Create Vulnerabilities
With the continuous creation and implementation of advanced medical technology in hospitals, it is impossible for healthcare providers to avoid the use of online medical devices and record-keeping systems. Today, many medical devices are designed with accompanying smartphone applications for easy use and monitoring, offering innovative, expedited services to patient populations. Although these improved tools make it easier than ever for clinicians to do their jobs efficiently and keep patients healthy, they complicate the process for cybersecurity professionals with increased susceptibility. There are several factors to consider when it comes to evaluating which aspects of your hospital business present the highest levels of opportunity in the mind of a hacker.
Third-Party Risk Management
Third-party vendors are essential partners for hospital business because they provide products and services that cannot realistically be produced or replicated in-house. These third-party relationships range from small monthly orders for syringes to outsourcing your entire employee payroll system. The degree to which your organization is dependent upon individual third-party vendors and the level of access they have to your network will help determine the approximate amount of risk they present. Currently, many hospitals still use archaic, manual risk management processes that are time-consuming, expensive, and inefficient to assess partnership risks. As a result, many prospective third-party vendors are quickly funneled through the approval system without receiving adequate examination, introducing a host of cybersecurity issues.
Loss of PHI
A unique aspect of the healthcare industry is the amount of PHI that is required to receive medical care, including social security data and home addresses that have been compiled over decades of medical visits. The value of healthcare data far outweighs that of any other industry and data breaches in these areas can cost more than 2.5 times the global average when compared to other types of documents. One recent study, conducted by the Ponemon Institute, discovered that the average cost of a data breach for a hospital business was around $380 per record. In addition to lost funds and compromised patient safety, organizations are liable to pay hefty fines for failing to protect sensitive patient information. As outlined in the Health Insurance Portability and Accountability Act (HIPAA), Healthcare organizations are required to take specific security measures to protect electronic health records (EHRs) for all entities with access to the information; this includes third-party vendors. Financial penalties or fines can be issued by state attorneys general for HIPAA violations of PHI data even if the breach originated from a third party vendor, resulting in further losses for an organization.
Ransomware
According to data from the cybersecurity firm, Recorded Future, in a report published by CNN, there have been 140 ransomware attacks targeting public state and local governments and healthcare providers in 2019. The impact of these attacks can range from having to shut down entire email systems to prevent the spread of malware to providers completely losing access to their patient’s health information. While other industries might be able to stall payments, time-sensitive organizations like hospital businesses rely on the consistency of their systems to provide life-saving care to patients and therefore frequently have no choice but to pay a hacker’s ransom. It is also worth noting that even when organizations pay a ransom fee, they are not always guaranteed reentry to their own systems and might be pressed for even more money.
Making Network Security a Priority
There are a variety of ways the healthcare industry can be impacted by breaches in digital security and new technologies are developed every day to bypass established defensive measures. The first step to ensuring that your organization is able to stay ahead of these major threats to healthcare businesses is to assess your third-party risk management process.
- Do you know who all of your vendors
are and can you quickly access some form of a risk profile to determine whether or not they present a threat to your organization? - Are you aware of the price tag that could be associated with a data breach related to these vendors?
Download the report issued by the Ponemon Institute to discover the costs your healthcare business could incur as the result of a data breach.
