Supply chain, Risk Assessments/Management, Data Security

Reports show healthcare’s ongoing third-party vendor, vulnerability challenges

Medical worker checks on a patient connected to a ventilator during an ICU night shift at Baton Rouge General Mid City campus, April 28, 2020. (Cpl. Daniel R. Betancourt Jr./Marine Corps)

Healthcare organizations are much more likely than any other industries to have an incident response plan, according to new Shred-it research. However, 42% of providers surveyed for the report said they don’t have prepared recovery plans in place and may not be prepared to handle a security incident.

As the number of providers forced offline after an attack continues to rise, the results are more than concerning. Shred-it surveyed C-level executives and small and medium business owners across multiple industries, compiling a healthcare-specific dataset in tandem with its overarching report.

The findings show more than half of healthcare providers surveyed experienced a data breach in the past, and 29% of which faced a breach in the last year. These stats are concerning as 64% of organizations said they’ve implemented effective information security tools and resources, and 75% said information security is important to their company.

Despite those assurances, vulnerabilities are leaving these providers in the lurch. Just one-third of the healthcare respondents said their organization performs vulnerability assessments on an ongoing basis and only 48% perform routine infrastructure auditing.

The gaps in preparedness are evident after a breach, where 35% of providers said it took weeks to resolve the most recent security breach at their organization. Recent weeks-long network outages at Johnson Memorial Health and Schneck Medical Center following cyberattacks support those findings.

As Impact Advisors security leadership recently explained, failure to develop recovery plans and other preparedness measures have a direct impact on vendor security — or lack thereof.

Recent data from SecureLink and the Ponemon Institute examined these correlations. Researchers surveyed 69 individuals from both the healthcare and pharmaceutical sectors to take a pulse of third-party vendor risks and incidents within the sectors. 

Although it’s a small sample set, the findings mirror previous reports and notices that highlight continued challenges these entities face in reducing vendor risk. The major data points aren’t overly shocking, such as 44% experienced a data breach caused by a third-party vendor within the last year.

But one of the more notable findings revealed that just 41% of healthcare and pharmaceutical organizations have a comprehensive inventory of all third-parties with access to the enterprise network.

The statistic is alarming as it mirrors research released years ago: meaning most providers have not fully tackled vendor or access risks within the healthcare and pharma environments. 

For example, a 2017 Bomgar report showed that 69% of the 600 surveyed IT professionals experienced a breach tied to vendors having access to the enterprise network. It also found a steady increase in the number of vendors with authorized access to the network, with an average of 181 listed vendors per system.

One of the primary concerns was the frequency of password sharing between vendor employees. The comparative reports demonstrate the continued challenges providers face in securing access and managing a staggering number of vendors — the use of which is imperative to healthcare delivery.

“Attacks by third parties are on the rise across industries — and healthcare is no exception,” said SecureLink Chief Data Scientist Daniel Fabbri, in the report’s release. “It’s also clear there's an alarming disconnect between how an organization perceives a third-party threat and the actual reality of dangerous third-party access threats, as evidenced in the scarce security measures organizations employ.” 

“Now is a pivotal moment for improving critical access management, which is a vital step in monitoring and securing third-party access,” he added. “Providers need to be armed with the information and tools to navigate the state of critical access management, mitigate future cyber attacks, and eliminate vulnerabilities that can threaten HIPAA and HITECH compliance.”

How then will healthcare improve vendor management?

The SecureLink report emphasized that the primary concern for healthcare and pharma entities should be employing effective measures to improve critical access management, beginning with limiting network and user access across applications. As noted by a number of security leaders in recent years, the overall goal should be to implement a zero trust security model.

Healthcare security leaders should also adopt monitoring for access applications, including an enterprise review of all access rights for users and vendors across governances, controls, and monitoring capabilities.

“The true value to the business is the understanding of how to be resilient before an incident, documenting the steps to continue in an easy-to-understand manner that does not require extensive knowledge of the business as part of a business continuity plan, and practicing those steps for familiarity in the event they need to be enacted,” leaders from Impact Advisors previously noted.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.