Cyber risk in healthcare has increased dramatically – in part due to the expanding ecosystem of technology providers that healthcare organizations rely on.
According to HealthITSecurity, in 2022 more than 590 organizations reported healthcare data breaches to the Department of Health and Human Services that impacted upwards of 48 million individuals. Moreover, third-party vendors with access to protected health information (PHI) were responsible for most of the ten biggest data breaches.
But a lack of resources and scalable methods to assess and mitigate third-party risk means healthcare companies often engage with vendors without adequate due diligence or risk assessments. This exposes the health organizations and their patients to risks.
In this blog, we explore the criticality of healthcare vendor risk management (VRM), the risks that healthcare organizations must address, and how they can overcome common challenges.
The need for healthcare vendor risk management
The delivery of medical services requires the involvement of hundreds if not thousands of technology providers and third parties. Many of these vendors have access to sensitive systems and data and even provide patient care. Increasingly, threat actors are targeting these vendors to breach the networks of interconnected healthcare organizations.
The cost of these attacks is enormous. Relentless attacks can expose PHI and threaten patient care.
The financial impacts are also alarming. A study by the Ponemon Institute and IBM found that the average cost of a data breach across all industries is now $9.44 million. Healthcare is hit particularly hard. The cost of a breach in this sector has risen 42% since 2020.
Effective VRM can mean reduced operational risk and dollars saved. But there are also major regulations that mandate a robust healthcare VRM program, including the Health Insurance Portability and Accountability Act (HIPAA) and HITECH:
- HIPAA requires that PHI is stored and protected against emerging risks and threats – both internally and across applicable third-party vendors.
- HITECH mandates the security and privacy of the electronic transmission of health information (which often happens between healthcare organizations and their vendors).
Violation of these regulations, and others such as PCI DSS, can result in financial penalties and reputational losses.
Typical risks that healthcare organizations face
In order to create an effective healthcare vendor risk management program, healthcare security and risk managers should prioritize the following areas:
1. Third-party access to medical devices
According to IBM, there are 10-15 million medical devices in U.S. hospitals and an average of 10-15 connected devices per patient bed. These devices are often supported by maintenance contracts; however these contracts typically don’t stipulate if a vendor will have access to the device, how it will be supported remotely, or what cybersecurity hygiene measures they have in place. Even more troubling, many vendors outsource device support and maintenance, which further increases supply chain risk.
2. Vulnerabilities on medical devices and internal systems
Unpatched systems are one of the main attack vectors used by threat actors. Poor patching performance doubles the likelihood of a breach and increases the risk of ransomware sevenfold.
Given the vast digital healthcare environment, outdated systems are a huge problem and diligence is essential.
3. Vendor access to PHI and employee PII
Third-party vendors often have access to PHI and employee personally identifiable information (PII) – an extremely valuable commodity to hackers. To reduce the risk of a supply chain attack that breaches this data, healthcare organizations must identify which vendors have access to such data and take steps to understand each vendor’s cybersecurity health on a continuous basis.
Common challenges in healthcare VRM and how to overcome them
The need for a robust healthcare VRM program is critical. Yet many CISOs and risk leaders find it challenging to stay ahead of VRM for several reasons:
- The rapid adoption of technology: 79% of organizations are adopting technologies faster than they can address related security issues.
- Manual processes: Current methods of VRM, such as point-in-time security assessments and spreadsheet-based questionnaires, are highly manual (which increases costs), time-consuming, and hard to scale across the vendor portfolio.
- Lack of visibility: Most healthcare organizations don’t have visibility into their vendors’ changing security postures, who has access to which systems, and what data they manage.
Making the switch to an automated healthcare VRM system, such as BitSight Vendor Risk Management, is key to addressing these issues.
BitSight VRM automates the risk assessment process while delivering unprecedented visibility into vendor risk, in one unified platform. With BitSight VRM, cyber security and risk management teams can:
Automate manual processes
The BitSight platform automates manual and repetitive data collection and vendor assessment tasks so that security and risk managers can focus on what really matters – risk mitigation.
Validate vendor responses
BitSight VRM streamlines the security questionnaire process by automatically detecting red flags in vendor responses – adding a layer of independent verification to vendor risk assessments. Teams can also tier vendors according to criticality to the business and prioritize them with customized workflows.
Continuously monitor for cyber risk
In its publication Third-Party Vendor Risk Management in Healthcare, the Cloud Security Alliance stresses that continuous monitoring is critical to VRM, especially when resources are limited.
BitSight automatically and continuously monitors each vendor's security posture (during onboarding and for the life of the relationship). Near real-time alerts notify security teams the moment a risk is detected, such as a change in a third party's security rating or a new vulnerability. BitSight can also be used to continuously monitor third-party medical devices and technology and notify the SOC when unpatched or compromised systems are detected.
Collaborate with vendors to reduce risk
Whenever new risks arise, security and vendor risk managers need to be prepared to react quickly and collaboratively with vendors. BitSight VRM makes this possible. Healthcare organizations can grant vendors access to the platform for more rapid, effective, and collaborative risk discovery and mitigation.
A single, integrated healthcare VRM solution
Critically, BitSight VRM allows healthcare organizations to scale their vendor ecosystems to match the pace of digital transformation. The single unified solution eliminates the need to jump between tools and platforms and spans all aspects of VRM.
With BitSight VRM, security and risk managers can manage their expanding vendor ecosystems with confidence while assuring the board of directors and C-suite of program performance.
Ready to go beyond traditional vendor risk management? Check out our ebook: 5 Keys to Building a Scalable VRM Program. Then, learn more about BitSight for Healthcare Organizations.