Are your contractors and vendors leaving your backdoor open for attack?
Cyber risks in healthcare are not just confined to data centers, to nursing stations, or to the PHI data that flows back and forth between health insurers, HIEs, government agencies, and patients. The risk web is much bigger than that.
It includes thousands of suppliers, vendors, and partners that stretch across the globe. Everything from business process and IT outsourcers in India, to complex manufacturing supply chains for medical equipment in China, Brazil, Germany, the UK, and Australia can all fall under the umbrella of cyber risk susceptible access points.
Alarmingly, this risk web in healthcare also encompasses the company that provides hot meals to your patients, and food and coffee for the hospital cafeterias, as well as the pharmaceutical companies conducting clinical trials, and biomedical engineering companies providing prosthetics, or an implantable medical device (IMD) that leaves the hospital with a surviving patient. Anyone who has physical access to your sites, network access to your IT, or who processes your data, regardless if they ever see one of your patients or not, can introduce risk to your business.
Dismaying Numbers in The Data
A vendor vulnerability index research report released by Bomgar showed that breaches occurring from third parties account for two-thirds of the total number of reported cyber breaches. The study found that only 46% of US companies said they know the number of log-ins that could be attributed to vendors, and that less than 51% enforce policies around third party access. Furthermore, 69% of respondents said they definitely or possibly suffered a security breach accomplished through vendor access in the past year.
Lets not forget that the Target breach of 40 million credit cards and 70 million customer records was caused by the weak security of one of Target's HVAC vendors. It cost Target over $300 million and the jobs of everyone on the leadership team as well as lasting damage to the store's reputation. In addition, it resulted in two expensive class-action suits, one by customers and one by investors peeved at the loss of Target's stock price following the incident.
The consensus by security professionals is that the risk posed by third parties is not only substantial, but it is increasing each and every year. Gartner stated in its June 2017 Magic Quadrant for IT Vendor Risk Management that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a board-level initiative to mitigate brand and reputation risk.
So why is it then, that health system CEOs are focused on other things? It could be that the healthcare industry has too many challenges, and third party vendor risk management (TPVRM) is just further down the list. It could also be the fact that very few healthcare delivery organizations feature in the prestigious Fortune 500 list, or it could just be that healthcare CCOs, CROs and CISOs, just haven't got the message across to their CEO yet. Either way they must prioritize their risk management strategies or they could suffer irreparable damage.