Controlling healthcare costs while delivering faster and better patient care is predicated upon the secure digitization and distribution of health information, from clinicians to medical devices to EMR and EHR systems, and more. The healthcare blueprint looks and operates much differently from what’s built for other industries, with vendors and other third parties supplying most of the components that make up today’s healthcare provider infrastructure. It’s increasing the attack surface area, which includes susceptibility to data breaches, vulnerability to ransomware, and attacks on medical devices.
Given the increase in ransomware attacks, it’s no surprise that cyber insurance rates are up by 50% or more, with coverages, deductibles, and CAPs tightening. The Wall Street Journal recently reported that more than 200 hospitals were victims of ransomware attacks resulting in over $100 million in extortion payments. Meanwhile, a leading healthcare CISO shared that patient records now garner $1,000 each on the dark web, more than 100 times that of other personal information. And now, lawsuits against those breached are the new plague. It’s time that the healthcare industry rethinks its overall approach to protecting patient data and care.
The path to managing cybersecurity and minimizing data breaches and ransomware requires rewriting how we conduct and manage risk assessments, assembling correct device and data inventories, facilitating risk-reducing change management, and working across departmental boundaries. An enterprise view of cyber and other risks needs to be considered; current silos must be consolidated and coordinated. Understaffed teams and limited industry-specific tools only make the process of healthcare risk management more complex. Risk management and operational consolidation of it becomes a must-have moving forward. The merger of operational and cyber risk across departments such as IT, BioMed, supply chain, research and IRB, and GRC enables a more streamlined and efficient approach overall.
Consequently, understanding the risk posture of healthcare organizations with their vendor and business associate ecosystem is no trivial task. A recent independent study of nearly 600 healthcare delivery organizations discovered that the average organization has about 2,000 vendor relationships, many of which have not been assessed for vendor risk. Why? Some organizations were not sure which vendors to assess because it’s unclear where PHI and other critical information reside. Some assessments didn’t align with what a vendor does because the wrong questions were being asked. The study also found that antiquated tools, such as spreadsheets and text documents, lack the intelligence and integrated workflows to address the unique demands of healthcare. In addition, the study found that providers hold an errant misconception that adopting a modern approach to vendor risk management requires more resources.
Meanwhile, the average healthcare organization is increasing its vendor and business associate footprint by about 30% per year, further increasing the attack surface area and their enterprise vulnerability. Some providers, as a stopgap, are opting to assess new vendors, all while the proverbial vendor risk fox is already in the PHI henhouse.
We’ve been collectively looking at ways to reduce the vulnerability and growing healthcare cyber risk surface area to determine what actions are necessary to increase the coverage and protection. This doesn’t imply adding more risk analysts; it means changing our approach to vendor and third-party risk management within the healthcare industry. We need to change the economics of expanding the risk coverage area if we’re going to solve the healthcare cybersecurity risk problem. We just don’t have a choice.
We must understand and measure the aggregate vendor risk position while helping vendors effectively address their vulnerabilities. Vendors need to know how their cybersecurity readiness is a significant pillar in their provider customers providing effective patient care. We must also work together as a community. Hackers and other nefarious actors are joining forces and attacking vulnerable, siloed healthcare organizations. It’s well past due that both providers and vendors need to work together as a community to share processes and appropriate information to successfully counter the ever-increasing and sophisticated attacks.
In addition, we must treat vendor and third-party risk management as a critical, cross-functional operational process, not as a departmental task list. Displacing disparate spreadsheets and text documents by automated, intelligent platforms is the foundational starting point for effective risk management.
The role of vendors and third parties in the healthcare patient care chain will continue to increase. But unless our approach to risk management changes, the attempt to deliver top-notch patient care by adding more essential products and services may be what puts it most at risk.
Fortunately, we can fix this, but we must do it together.