By Dustin Hutchison, Pondurance
As the healthcare industry becomes more reliant on internet-enabled technology, the attack surface continues to expand. Healthcare providers implement systems that are patient-care focused, but they also deploy operational systems to enable patient services. According to the 2019 HIMSS Cybersecurity Survey, a lack of mature security programs, combined with the rich data contained within healthcare, makes these entities huge targets for cyber criminals and breaches.
Technology vendors and third-party providers must prioritize security and abide by the same stringent controls needed to protect patient information and systems. Many healthcare providers have reported breaches due to a compromise of a business associate, which is defined as an entity that performs certain functions or activities that involve the use or disclosure of protected health information for a covered entity. There are several assess-once, report-many security frameworks, such as HITRUST, which help show the security capabilities of a third-party technology vendor, but the provider organization still must perform their due diligence to assess that vendor’s qualifications prior to adopting any technology.
As a high-priority target for bad actors, healthcare providers must constantly analyze and assess their own security posture and that of their business associates. Three steps healthcare organizations should consider when working with a third-party technology vendor or provider partner are: administer due diligence, standardize policies, and form a collaborative culture.
Prescription For Due Diligence
At a minimum, healthcare providers should conduct risk assessments before purchasing and implementing any system or application. This helps to identify the most complex vulnerabilities and prioritize them in terms of what needs immediate attention. Healthcare providers must also assume strong oversight of their vendors by performing due diligence and proceeding with business associate agreements and contract reviews before working together. When healthcare providers negotiate contracts with outside vendors and partners, they should demand accountability, and identify and limit the type and quantity of data that a third-party organization is able to access. And third-party vendors must demonstrate their own security posture regularly in the form of security questionnaires or assessment reports. To help streamline this process, the healthcare organization should develop a methodology that incorporates the business need with the security requirements, and not simply create a laundry list of yes/no questions.
Here are a few questions healthcare providers should ask technology vendors and partners:
Standardization On Policies
Since a healthcare organization’s risk profile will change throughout the year, they should proactively update what they manage from a risk standpoint to ensure there are no gaps in privacy and security. Regarding implementation, it is important they understand the administrative, technical, and physical control of a vendor’s security framework, and it starts with writing effective policies and procedures in terms of prevention and defense that integrate into the way healthcare organizations conduct business. For the healthcare organization, standardizing on baseline security requirements can reduce the number of internal systems and products in use, as well as the management, overhead, and third-party technology vendor fees.
Culture Of Collaboration
For healthcare organizations to conquer the third-party problem, leadership must approach security as a business problem and not just an information technology (IT) problem. And as important as it is to include the caregivers in the buying decision of an MRI machine, for example, it is just as essential to get IT involved in the technology and security decisions to ensure they can implement the right security protections around that device. This illustrates why it is crucial to consider any purchase from the clinical, technical, and security perspectives to make a thorough evaluation.
The healthcare provider must develop an effective security framework with repeatable risk mitigation steps plus true risk tolerance policies and procedures supported by leadership. The NIST Cybersecurity Framework is effective in managing risk and measurement. Adhering to a structure like this helps to establish mutual understanding, pre-set expectations, and standardized terminology, which paves the way for security teams and senior leadership at all partner organizations to have real conversations about cybersecurity. There is not a one-size-fits-all plan; the partners together can determine what makes sense.
Developing a secure environment requires input from all levels and departments – from the C-suite and the IT staff to the clinicians – to fortify the preventative strategies against an attack and mitigate major interruption to operations when the inevitable happens. It is fundamental for healthcare organizations to focus on what they need, what problem they’re trying to solve, and how they can enable quality patient care in a secure manner.
About The Author
Dustin Hutchison is the president and COO at Pondurance and has over eighteen years of experience in information security, risk management, and regulatory compliance. Prior to joining Pondurance, Hutchison was a risk and compliance professional at Franciscan Alliance focusing on HIPAA, PCI, and risk assessments for new technology acquisitions ranging from infrastructure solutions to patient care devices. Prior to Franciscan Alliance, he was a cyber security analyst at Midwest ISO. Dustin is also currently an adjunct professor at Ivy Tech Community College, Sullivan University, and Embry-Riddle Aeronautical University. Hutchison holds a Bachelor of Science (BS) degree in computer and information technology, a Master of Business Administration (MBA), and a Doctor of Philosophy (Ph.D.) with a dissertation topic focusing on cloud computing in healthcare. He n is a Certified Information Systems Security Professional (CISSP), PCI DSS Qualified Security Assessor (QSA), Certified CSF Practitioner (CCSFP), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), GIAC Certified Incident Handler (GCIH), and holds the CompTIA Security+ certification.