A message about hand-washing is displayed on a computer monitor in the intensive care unit at Regional Medical Center on May 21, 2020, in San Jose, Calif. Managing vendor security is a challenge as third-party vendors have been responsible for some of the largest healthcare incidents this year. (Photo by Justin Sullivan/Getty Images)

As a whole, the healthcare sector relies on a significant number of third-party vendors and other business associates to maintain daily operations and provide relatively seamless transactions. But each added contractor further stretches the entity’s risk profile. What’s worse, effective vendor management is often overlooked.

Vendor-related incidents have drastically increased in recent years, accounting for 20% of healthcare data breaches in 2018, according to previous CynergisTek research. In comparison, third-party vendors were behind some of the 10 largest reported incidents so far this year and caused the most prevalent reported incidents in the last week.

To take a pulse of these threats and needed mitigation strategies, SC Media spoke with the Impact Advisors’ security team: Vice President Mike Garzone and senior advisors Barbara McClung, Marc Johnson, and Stephen Collins.

“Vendor security management continues to be a challenge for many organizations. As more technology services and support are outsourced, more cyber risk is introduced, which requires greater due diligence to ensure the vendor has implemented and maintains critical security controls,” said Impact Advisors’ leaders.

As attacks continue to worsen across critical infrastructure, entities must adapt and implement processes able to continuously evaluate the security posture of their vendors. But as it stands, most healthcare providers aren’t keeping pace with the current threats.

The role of BIAs on recovery, continuity plans

A business impact analysis provides organizations with an opportunity to determine the impact of unexpected disruptions to business functions and processes. An effective BIA will not just focus on the technology, nor will it be confined to IT.

Instead, the BIA should be used to “identify critical functions and processes necessary for the continuation of daily operations and gather information required to build a comprehensive business continuation strategy,” Impact Advisors leadership explained.

In an era where cyberattacks commonly lead to network outages, the BIA is crucial to understanding an entity’s readiness for recovering after an attack or other unexpected outage. As such, the BIA must analyse both operational and financial impacts after these types of events.

BIAs can also identify dependencies across internal departments and external departments, as well as third-party vendor relationships. Once a BIA is performed, it becomes the foundation for crafting business continuity plan and to drive the priorities of a disaster recovery plan. 

“The BIA should not be seen as a check the box or a one-time activity: it needs to be revisited periodically to ensure business continuity and disaster recovery plans evolve as business operations evolve,” explained Impact Advisors. “BIAs should be incorporated into projects for expanding service lines and expanding facilities.”

Healthcare entities should review free resources from NIST, the Disaster Recovery Institute, outside consultancies, and the CRR Supplemental Resource Guide to better understand BIAs and the steps needed to develop effective continuity and disaster recovery plans.

Merging disaster recovery, business continuity

While some outlets typically interchange disaster recovery and business continuity plans, there’s a big difference between response plans and recovery plans. But it remains important for the plans to work in tandem, while understanding the nuances between the two.

Business continuity is the blueprint for how entities will continue operations during an unexpected interruption that forces the use of manual processes after a computer outage, while disaster recovery specifically deals with the recovery of computer systems that support business operations.

“The two concepts intersect at the core: they balance and provide input to each other to maintain that balance. In the event of an interruption, not every system is crucial to the business,” explained Impact Advisors. “This is one of the biggest misconceptions in developing a BIA, which traditionally focuses on quantifying the cost to the business.” 

“The true value to the business is the understanding of how to be resilient before an incident, documenting the steps to continue in an easy-to-understand manner that does not require extensive knowledge of the business as part of a business continuity plan, and practicing those steps for familiarity in the event they need to be enacted,” they added.

Identifying and prioritizing dependencies are crucial to restoring processes to full operational capacity, including vendors, IT systems, and other business processes. Workshops “provide the best interaction for staff to discover these nuances in dependency and criticality” and assists with creating an enterprise consensus.

Questionnaires are typically scarce on needed detail and accuracy and often enable ambiguity. Impact Advisors noted that this is a major pain point for many organizations, as entities rely on assumptions to develop effective recovery plans without complete understanding of potential business impacts.

In fact most business continuity and disaster recovery plans are developed in isolation within the organization. Impact Advisor data show that just 25% to 60% of these plans overlap, with a low as 16% in large organizations due to departmental autonomy.

“There are varying levels of recovery to consider, as well: it may not be as cut and dry as system A, then G, then D,” Impact Advisors leadership explained. “Considering service and data as separate tracks, you may recover a portion of a system (i.e. email for the functionality of communication without restoring the individual mailboxes) and later go back and need to restore the rest of it.”

Once criticalities and dependencies are clearly known, disaster recovery plans can better support the continuation of business operations after an incident.

Immediate measures

On the one hand, threat actors have remained consistent in how they target healthcare: focusing on the weakest links and vulnerable access points. Although the government mandates a logical approach to the problem, “there are no silver bullets” and most providers are limited by stringent budgets. 

As Impact Advisors sees it, it’s time for providers to get back to the basics: assessing risks and prioritizing remediation efforts based on the impact of a potential cyberattack on the enterprise.

Some recommended measures include:

  • Properly educating staff on security risks and ways to mitigate them
  • Requiring continued security conversations with staff
  • Protecting all privileged accounts
  • Enforcing password policies and implementing multi-factor authentication for network access and wherever protected health information resides
  • Implementing a strict patch management cycle
  • Securing and monitoring the network perimeter
  • Maintaining an updated, well-practiced incident response plan
  • Performing perimeter scanning every 24 hours

However, providers can’t “rely solely on the old ways of approaching cyber threats. Although the ‘best practices’ of the past remain a good foundation, organizations must get ahead of the criminal creativity and stop thinking in terms of silos,” explained Impact Advisor leadership.

While many vendors will often tout artificial intelligence as the cureall to combat the current state of sophisticated attacks, the leaders also noted that AI is just one part of what’s needed to fix the state of healthcare cybersecurity. AI needs to be combined with machine learning to assess “correlations and patterns to be better viewed for a more impactful trigger to action.”

Physical security, such as audio and video, should also be combined with traditional cybersecurity measures, which will support entities with successfully correlating social engineering “well in advance of an attack and take proper action prior to an incident.”

To improve vendor management, entities must evaluate the security posture of vendors and require the implementation of evidence controls. Security leaders must also establish strong relationships with internal departments, such as contracts, procurement, and legal, to “ensure security is part of the vendor process and no new vendors are contracted with unless there’s a security review.” 

“In turn, security must find reasonable pathways to ‘yes’ by being creative in how security controls are implemented and not be seen as a roadblock to progress,” explained Impact Advisors leadership.

“If security doesn't work as a partner across functions as well as with vendors to make the process workable for all, then others will continue to look for ways to circumvent the required vendor security assessments, which could make an organization vulnerable to external cyberattacks,” they added.