Guest Column | August 2, 2019

Spotlighting Third-Party Risk: How Healthcare Can Prepare For Today's Cyberthreats

By Troy Gill, AppRiver

Best Practices For Secure Messaging

In the past month, reports surfaced concerning a successful data breach that affected at least three health diagnostics companies: Quest Diagnostics, LabCorp and BioReference Laboratories Inc. It is estimated that more than 20 million patient names, dates of birth, addresses, phone numbers, credit cards and banking information were potentially exposed.

The extensive breach was believed to have taken place when a billing collection provider – an outside contractor the blood testing companies routinely sent customers’ billing information and personal data – was hacked. Not only was the breach serious enough in scale to warrant news headlines, it also raises new questions regarding data access and management in the healthcare industry.

This breach-through-billing contractor scenario is particularly intriguing in that while the healthcare industry is one of the most highly regulated in terms of consumer privacy and data protection, contractors who have access to the same confidential data may not be held to the same standards. It also shines a light on the growing pains of the healthcare industry, which has been rapidly adopting new technology and data advancement but are showing a lapse in security knowledge and systems in place to handle the new technology they now possess.

What is also fascinating is that the industry appears not entirely in the dark about its own lack of cyber preparedness. According to the AppRiver Cyberthreat Index for Business, which surveyed over 2,000 small-to-midsize business (SMBs) leaders and IT decision makers in the first half of 2019, including the healthcare industry, more than half of the sector reported feeling overmatched by cybercriminals and unprepared for potential attacks.

Here are some key (and alarming) findings:

  • 60 percent of all healthcare SMB leaders and IT decision makers surveyed estimate cybercriminals’ technology and attack strategies are more sophisticated than their own cyberthreat prevention resources
  • Less than half (43 percent) of all surveyed in the sector give their own business a positive rating in cyber preparedness
  • 63 percent report at least one incident of phishing attempt targeting their business in the past quarter
  • Half (51 percent) estimate they would sustain long- and short-term business losses if they were to suffer a successful cyber breach

Cybercriminals target the healthcare sector because they know it is a goldmine for personal data and payment (read: banking and credit card) information. However, some could be looking to do more harm. The healthcare industry also has access to health data; it dispenses medicine and prescribes medical treatments, for instance. This is potentially beyond a privacy issue, but rather a health-related security time bomb.

A significant number of data breaches occurring these days can be directly attributed back to a third-party vendor or contractor, as this type of relationships inadvertently creates an entry point for cybercriminals. No sector, including healthcare, has been immune. And while all organizations have a responsibility to protect all Personally Identifiable Information, the healthcare industry will always be subjected to higher expectations because of the sensitivity of data healthcare professionals are tasked with protecting. Knowing this, more stringent policies and reliable systems are urgently needed when evaluating relationships with and granting access to third-party vendors and contractors.

Consider this as the start of a third-party security due diligence “laundry list”:

  • Routinely preform risk assessment of your own networks both pre- and post- third-party integration.
  • Ask important security questions of the third-party vendor before engagement and sharing of data. Does the vendor perform on-going vulnerability assessments and pen testing? What sort of encryption practices do they have? Have they implemented a security awareness program within their organization?
  • Consider engaging with a security rating provider to help guide your evaluation of companies’ security posture when considering a third-party relationship where data will be shared.
  • Discuss with third-party vendors where data will be stored, for how long, who has access, etc. and make sure these terms are all well documented, agreed to with zero ambiguity and remain up to date.
  • Routinely reassess third-party security practices to reduce risk. Threats do not remain static, nor should your risk management practice; the same level of scrutiny and standards must be extended to third-party arrangements.
  • Deploy real-time threat monitoring both internally and externally.
  • Aggregate pertinent log data and monitor via an internal or contracted security operations center.
  • Have a verified incident response plan with escalation levels clearly defined.
  • Require that outside service providers undergo compliance audits for pertinent compliance; in the case of healthcare vendors, SOC2 (this covers IT operations & practices) and HIPAA should be required and verified.

With the right guardrails in place, healthcare organizations can go a long way toward protecting their patients and the reputation of their business. At the rate that today’s cyberthreat landscape is evolving, they simply can’t afford to wait any longer.