Cybercriminals are increasingly attacking business associates of HIPAA-covered entities because of the ease of accessing the systems of a number of healthcare providers. To help healthcare delivery organizations (HDOs) manage the situation, the Cloud Security Alliance (CSA) has made available new guidance concerning third-party vendor risk control in medical care. The Health Information Management Working Group created the guidance, which includes examples and uses cases and provides information on some of the risk management program tools that HDOs could utilize for risk control.
Third-party vendors provide useful services to HDOs, for example, services that cannot be competently managed in-house; even so, employing vendors can prompt compliance, cybersecurity, reputational, privacy, financial, strategic, and operational concerns that have to be dealt with and mitigated. The guidance is intended to support HDOs in identifying, analyzing, and mitigating the risks associated with utilizing third-party vendors to prevent and limit the seriousness of security incidences and data breaches.
Cyberattacks on vendors providing services in the healthcare market have escalated recently. Rather than attacking an HDO, a vendor is attacked to get access to sensitive files or to exploit the vendor’s privileged access to an HDO’s network. For example, when a managed service provider is attacked successfully, a cyber actor can obtain access to the networks of all its clients by taking advantage of its privileged access to their networks. This is fantastic for an attacker because it indicates it doesn’t need to break into the network of every MSP client one at a time.
If using third-party vendors, the attack surface increases significantly, and handling and decreasing risks are normally an issue. Even if all industries use third-party vendors, security threats are most prevalent in the healthcare sector. The CSA says that this is due to the deficiency of automation, extensive use of electronic programs and medical gadgets, and the poor settings of deployed critical vendor management. Since healthcare providers typically utilize many vendors, doing comprehensive and exact risk assessments for all vendors and utilizing critical vendor management configurations could be a very time-consuming and pricey procedure.
Dr. James Angle, co-chairman of the Health Information Management Working Group, mentioned that Healthcare Delivery Organizations put their confidence on third-party vendors to secure their sensitive data, finances, good reputation, and others. Looking at the importance of this crucial, sensitive data, together with regulatory and compliance requirements, it is vital to know, assess, and lessen third-party cyber problems. This paper presents an understanding of third-party vendor issues in healthcare as well as proposed identification, discovery, response, and mitigation practices.
Whenever an HDO chooses to use a third-party supplier, it is essential that effective monitoring controls are in place, nevertheless, it is evident from the amount of third-party or vendor-connected data breaches that numerous healthcare providers find it hard to find out, secure, identify, respond to, and recover from these events, which shows the present strategies for analyzing and dealing with vendor issues are faltering. These issues can have a tremendous financial impact, not just in terms of the breach mitigation costs, but HDOs also encounter the risk of regulatory fines issued by the HHS’ Office for Civil Rights and the state Attorneys General. Moreover, there is a big probability of long-lasting harm to reputation.
The CSA provides several pieces of advice in the paper, including employing the NIST Cybersecurity Framework for verifying, testing, and keeping track of third-party risk. The NIST Framework is mostly aimed at cybersecurity, nevertheless, the same principles could also be used for gauging different threats. The main functions of the framework are to determine, protect, identify, respond, and restore. With the framework, HDOs can discover threats, understand what data is given to each, prioritize vendors based on the level of risk, implement safety precautions to protect critical services, be sure monitoring adjustments are put in place to determine security incidences, and a plan is made for responding to and avoiding any security incident.