The risk of supply chain partners is well-known in all sectors, thanks, in part, to the massive disruptions caused by the Colonial Pipeline, SolarWinds, and Accellion incidents in 2020. In healthcare, however, these cyberattacks cause more than just massive data breaches and service disruptions: third-party incidents drastically increase patient safety risks.
It’s true that third-party vendors were behind the vast majority of healthcare data breaches last year, with the largest 12 business associate-related incidents compromising the data of nearly 25 million patients.
These staggering numbers are certainly noteworthy, particularly when considering the sensitivity of protected health information.
But at the HIMSS Cybersecurity Forum in December, Erik Decker, Intermountain Healthcare CISO and vice president, stressed that the real issue is the possible impacts facing mission critical functions of third-party vendors after a cyberattack.
Intermountain Healthcare, for example, is an integrated delivery network, which means there’s both a payer and provider side to consider — with all of the connected third parties that support business processes like the imaging lab and pharmacy. Each of these departments perform critical functions, supported by third parties, that play a role in delivering those services.
“If those third parties go down, they can impact the actual critical function of the delivery of healthcare in an acute way, such as emergency trauma or potentially a more chronic manner with long-term disease management,” said Decker.
When providers consider their business continuity processes, there are services that would have obvious impacts if the tech went down, like an electronic medical record in the cloud, he explained. But what about some medical device or modalities that require “computations in the cloud to be active?”
If the cloud goes down, the modality is no longer functional and perhaps “a linear accelerator connected to a radiation oncology treatment system that may or may not exist,” Decker continued. The implication associated with clinical outcomes is a mission critical function.
The scenario is not hypothetical: Elekta faced a ransomware attack in 2021 with similar disruptions for cancer patients. The third-party vendor provides radiation therapy, radiosurgery, and clinical management services for cancer treatment providers, and when the attack struck in April of that year, cancer treatments were disrupted for at least 40 health systems.
Canceling radiation treatment appointments due to network outages is a serious patient safety risk. But without network access to these critical functions, the providers had no choice.
The same risks are posed by vendors that provide other core services to hospitals, including laundry services, syringes, and medical equipment. Decker mused: “If those things are down, what do you do? How does that impact hospitals?”
Vendors are a critical part of care delivery, with most major health systems operating under a substantial number of supply chain partnerships necessary to seamlessly provide care. And the risk of these vendor relationships is well-known, after the aforementioned 2020 incidents prompted federal actions to secure the supply chain.
In healthcare, these longstanding issues have been compounded by the expansion of digital tech to bring care outside of the hospital and drastically increasing the number of endpoints in the process.
As a result, there’s been a substantial uptick in access challenges and what Decker called the “cross effect,” or the convergence of major supply chain vendors.
A vendor may need back-end access into the network, or perhaps affiliated clinics can have direct access to your environment. Each endpoint is a potential weakness or another way for an actor to gain access. As seen with the rippling business impacts of the Kronos payroll outages last year, supply chain convergence is adding yet another layer to vendor risk.
“They’ve become very target rich” with the potential to cause “maximum damage, maximum impact,” said Decker. "When the [Kronos] issue happened, many people thought, ‘well, it's just payroll management, or so forth.”
“Well, hospital systems, nursing scheduling, were [also] running through the system, and that caused direct challenges to care because” of the reliance on those systems.
When speaking about vendor risk, it’s imperative to move the discussion beyond data impacts and into a frame of possible disruptions for critical functions to better manage how entities ensure they’re providing a safe environment for care.
To grasp the business angles alongside needed security measures, SC Media also spoke with former CynergisTek CIO Ben Denkers to shine a light on just what’s needed to address these long-standing business vulnerabilities.
It’s a “systemic issue” across most sectors to ensure partners, vendors, and other supply chain entities are free of risk, or what is determined to be an acceptable level of risk and manage those partnerships as an organization. Fortunately, it’s a fixable issue with the right processes.
As seen with Meta fallout, procurement needs an overhaul
The use of Pixels in healthcare renewed concerns about the procurement process and demonstrated just what can go wrong when tools or processes are designed without security in mind. As covered by SC Media, the implementation of the Meta tracking tool for marketing purposes led to massive data breaches and now multiple lawsuits against those providers.
What’s notable is that the marketing teams that implemented these tools were likely unaware of the privacy and compliance violations.
The problem is that “a lot of those decisions happen up the chain in procurement, and security is often an afterthought,” said Denkers. As a result, many of these business decisions or product purchases are being made without the input of a security leader.
Denkers is optimistic that these types of issues would thrust vendor management and security into the spotlight, which could lead to real change. In the wake of SolarWinds, for example, the Biden administration worked swiftly to enact new security requirements for critical infrastructure organizations.
But supply chain and vendor vulnerabilities have been a problem for many years, and it still hasn’t been solved.
If healthcare is ever to see broad risk reduction in its heavy reliance on vendors and technology, providers must get a handle on the procurement process and ensure cybersecurity is top of mind across enterprise leadership — and not just in the privacy, security and legal offices.
It’s true that certain technologies are inherently vulnerable (medical devices, for example), but they’re still necessary for business operations. What’s missing from these processes is the consideration of the possible threats and risks that introducing certain products could have from both a privacy and patient-safety perspective.
“The issue is that they’re not even having these conversations. They’re just purchasing or making a decision without having the right people at the table to help them understand the potential impacts of what that decision looks like,” said Denkers.
Organizations need to learn from others’ mistakes and their own missteps, and put in processes and evaluate security programs to address possible security impacts from using a particular product or solution, at a minimum.
Without that missing piece, these incidents will only continue and possibly worsen, as threat actors continue to find new, creative ways to target the over-burdened sector.
“It's like, how many times are you going to touch the hot stove before you realize, ‘Hey, maybe I shouldn't touch the hot stove’,” said Denkers. “Making a business decision without understanding the potential security of privacy risks seems counterintuitive.”
Effective vendor assessment is typically accomplished through questionnaires able to glean insight into the vendor’s security posture, he explained.
A more effective process would see entities analyze the acquisition process, their vendor connections, how they’re actually assessing risks, and whether or not organizational leadership truly understands the impacts of the decisions they’re making, whether it's purchasing or otherwise.
It takes moving beyond the questionnaire and taking a hard look at processes, as those documents are “still a point in time.” Denkers stressed that “unless you're doing a full risk assessment of each of those vendors, you're limited in validating the answers they provide.”
“For the most part, again, it's a point in time assessment at best,” he continued. “It’s really that second piece that is difficult to execute: how do you, as an organization, validate that … your partner or vendor is doing what you require them to do?”
At the end of the day, it will take a top-down approach to determine what’s considered acceptable risk, then outline and build out that strategy. Denkers noted that it should include a predefined process for vendors and evaluation criteria for what a “good vendor” looks like that are considered “non-negotiable” across the board.
On the business side, the hospital must leverage a risk matrix to identify those risks, while fine-tuning the procurement process to close obvious gaps like failing to include the security team or a security assessment, at a minimum.
“Ultimately, the organization is the one writing the check,” Denkers concluded. If an organization outlines its security risks and a vendor does not want to adhere to it, the entity can choose to work with another vendor.
Of course, there are times where there are limited vendors for certain services, which is another scenario to consider. Denkers explained that this is common experience during contracting, and the entity can either accept the risk and push forward or choose to go with a more security vendor.
When selecting a riskier vendor, however, it’s crucial to have internal risk management processes and compensating controls to protect the enterprise. Denkers added, if an entity accepts the risk because there isn’t another option, “then it becomes their responsibility to minimize the potential of that issue wherever it becomes exploited, or taken advantage of.”
But if organizations, perhaps in all industries, can agree to established security requirements, it may drive change in vendors’ security decisions due to lost revenue from lost customers that refuse to work with vendors that lack those standards.