• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • COVID-19
  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • Artificial Intelligence
    • Blockchain
    • Mobile Health
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

The Rise of Fourth-Party Risk in Healthcare––And How to Combat It

by Brian Selfridge, Healthcare Cybersecurity & Risk Leader at CORL Technologies, 02/28/2023 Leave a Comment

The Rise of Fourth-Party Risk in Healthcare––And How to Combat It
Brian Selfridge, Healthcare Cybersecurity & Risk Leader at CORL Technologies

In recent years, a wave of high-profile cyber attacks has shaken the healthcare industry to its core. Sensitive data has been breached; essential services have been forced offline; and healthcare providers have found themselves faced with unhappy customers and unsympathetic regulators.

As a result, many in the healthcare industry are now familiar with third-party vendors and the risks they pose. This is a positive development, but it is also insufficient. Because the fact is that any comprehensive understanding of healthcare security needs to factor in fourth-party vendors as well.

Consider this blog post a guide to everything you need to know about fourth-party vendors and the risks they pose. Below, in addition to setting definitions, we’ll outline current risk mitigation models and challenges, and suggest innovative solutions.

Fourth-party risk management: a quick definition

To understand what fourth-party vendors are, let’s start by getting a handle on third-party vendors.

Around fifteen or twenty years ago, healthcare organizations began the long, arduous process of moving from paper to electronic health records. To accommodate these oceans of paperwork, healthcare organizations began enlisting the services of third-party cloud and SaaS companies. And over the last decade or so, as it became commonplace to share large volumes of electronic patient data outside of healthcare entities for research, optimization, debt collection, and more, an unprecedented amount of sensitive patient data began to be hosted on third-party servers.

The serious risks that this presents are well-known. Less discussed are the fourth-party vendors that these third-party vendors work with, and how a breach of one of those can have equally dire effects. The fourth-party vendors used by third-party vendors––like, Adobe, Microsoft, Auth-0, Okta, etc.––are just as vulnerable to being breached, and cyber-criminal gangs and nation-states like Russia have taken serious notice of this. The fact is that a single compromised fourth-party vendor can lead to the compromise of thousands of organizations.

Cyber-criminal syndicates are continually on the lookout for thus-far-unexploited vulnerabilities; if there is an unmonitored opening, you can be sure they will pour right in. This is particularly troubling in the case of fourth-party vendors, as once an organization has been compromised in this way, malicious actors are then free to launch a variety of attacks including ransomware, data theft, extortion and more. Recent examples of this can be seen with the Log4j, SolarWinds, and Microsoft Exchange breaches.

A troubling lack of transparency

Hearteningly, in recent years healthcare organizations have taken a serious interest in data protection, devising VRM programs to help guard against third-party breaches. At the same time, though, very little effort has been made to manage fourth-party risks; it can sometimes feel like they’re not even on the radar.

Making matters worse is the fact that healthcare entities have little to no transparency when it comes to fourth-party vendors. It is often impossible for them to know, when a fourth-party breach occurs, which specific third-party vendors have been affected; accordingly, it’s nearly impossible for them to take proper action. Alarmingly, the third-party vendors themselves often have a limited idea of the extent of their vulnerability, as many fail to maintain accurate inventories of their own supply-chain vendors or products. During a breach event, this can lead to utter chaos, with no party––not the third-party vendor, not the healthcare organization––able to accurately assess and fix the problem.

Innovative solutions to the fourth-party problem

Obviously, this problem isn’t limited to healthcare organizations: any entity that enlists the help of third-party vendors is at risk during a fourth-party breach. Accordingly, the US government has begun to proactively address the problem, with President Biden issuing an executive order on supply chain risk last year in response to the catastrophe of the SolarWinds attack. This executive order and other recent initiatives have gone some way towards remedying the extreme unpreparedness of most industries when it comes to fourth-party breaches.

Key to Biden’s order is something called a Software Bill of Materials, or SBOM. A SBOM is, essentially, an ingredients list for software or hardware: it lists in detail every single third- and fourth-party software component used to deliver a given product or solution, allowing affected entities to act quickly to remedy the situation in the event of a breach.

So a simplified SOBM might look like:

Operating system: Microsoft XP

Java (version x.x)

Apache (version x.x)

Beyond SBOMs, a number of solutions have arisen in recent years to help mitigate the risk of fourth-party breaches. These include leveraging existing assessment data on fourth-party suppliers to identify known exposures; conducting targeted reach-out campaigns to third-party vendors to get a better sense of how they use fourth-party products; and tracking and reporting risk exposure and remediation status to customers.

For healthcare workers just wrapping their heads around third-party breaches, the introduction of an entire new category of risk might seem overwhelming. But it’s important to stress that this isn’t some peripheral risk––it’s not secondary to third-party risk. A fourth-party breach can be just as destructive and cause equally lasting damage. Staying on top of those risks––through SBOMs and the countless mitigation procedures currently coming into wide use––is not simply an option: when it comes to staving off catastrophe and keeping patient data safe, it’s a necessity.


About Brian Selfridge

Brian Selfridge is the Healthcare Cybersecurity & Risk Leader at CORL Technologies, the leading provider of risk management solutions for healthcare.

Tagged With: cloud, Cybersecurity, Microsoft, risk

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Most Popular

Sanofi Cuts Price of Lantus Insulin by 78% & Caps Out of Pocket Costs at $35 for All Patients

Sanofi Cuts Price of Lantus Insulin by 78% & Caps Out of Pocket Costs at $35 for All Patients

Pfizer Acquires Seagen for $43B to Tackle Cancer

Pfizer Acquires Seagen for $43B to Tackle Cancer

5 Key Trends Driving Purchasing Decisions in Healthcare IT

5 Key Trends Driving Purchasing Decisions in Healthcare IT

Sanofi to Acquire Diabetes Therapy Maker Provention Bio for $2.9B

Sanofi to Acquire Diabetes Therapy Maker Provention Bio for $2.9B

Dr. Arti Masturzo

Q/A: Dr. Masturzo Talks Addressing Food Insecurity with Patients

Transcarent Acquires 98point6 AI-Powered Virtual Care Platform and Care Business

Transcarent Acquires 98point6 AI-Powered Virtual Care Platform and Care Business

Eli Lilly Cuts Insulin Prices by 70%, Caps Patient Costs at $35 Per Month

Eli Lilly Cuts Insulin Prices by 70%, Caps Patient Costs at $35 Per Month

Q/A: Oatmeal Health Co-Founder Talks AI-Enabled Cancer Screening for the Underserved

Q/A: Oatmeal Health Co-Founder Talks AI-Enabled Cancer Screening for the Underserved

GE HealthCare to Acquire Caption Health

GE HealthCare to Acquire Caption Health to Expand AI-Guided Ultrasounds

Epic, Impact Advisors, Nordic, Chartis Named 2023 Overall Best in KLAS® Awards

Epic, Impact Advisors, Nordic, Chartis Named 2023 Overall Best in KLAS® Awards

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • 2023 Editorial Calendar
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2023. HIT Consultant Media. All Rights Reserved. Privacy Policy |