The healthcare organizations weren’t breached, but attacks on their vendors and third-party suppliers had major consequences across the ecosystem. In some cases, that included exposing the healthcare systems’ data, and patient and family data, to cybercriminals. CrowdStrike’s 2022 Global Threat Report offers more insight on the current state of cybersecurity and challenges surrounding the mission to stop breaches.
It might seem like too daunting a task to monitor all the suppliers and vendors of commercial software and services used by healthcare systems, but those institutions can fortify their security posture with these three actions.
1. Keep Inventory Updated
Healthcare facilities should always have an up-to-date inventory of all vendors and suppliers. This means working closely with supply chain, finance and compliance teams.
If an institution does not have a well-managed third-party risk management program, then developing that inventory will take some detective work:
- Supply chain managers should know all the contracts the organization has signed. If they do not, that’s a different problem and another layer of the onion. Assuming they do, then those contracts should identify technology or application partners that might expose an organization to third-party risk. There should be a complete, end-to-end acquisition policy that is followed by the entire healthcare institution that mandates cybersecurity, compliance and other reviews before signing on new vendors.
- Finance pays all the invoices and is another source for identifying all third-party partners that may be introducing risk. Since many services can now be purchased online with a credit card, risk managers might have to do even more digging should one of the departments decide to contract with a supplier without going through proper channels.
- Legal and compliance officers help create contract documents and policies that align vendor compliance with healthcare requirements, such as adherence to HIPAA. They conduct investigations and regular reviews of the effectiveness of compliance programs, reporting to senior management and the institution’s board of directors.
2. Establish A Third-Party Risk Management Program
Risk assessment starts during the initial evaluation of a potential partner. Security and compliance teams should assess if the vendor or partner meets the institution’s cybersecurity and compliance requirements.
If the vendor cannot meet those requirements, do not proceed with the relationship unless there is a compelling requirement that outweighs the associated risk. If an exception is to be made, the team should document what controls will be in place to monitor and manage the vendor’s cybersecurity shortfalls. Someone at the senior executive level should be responsible for signing off and accepting the risk for the organization.
3. Conduct Ongoing Reviews of Vendors
One review of third-party vendors at intake is not enough. All programs evolve over time, so there must be an ongoing review and evaluation of all vendors and suppliers in the ecosystem.
Yes, this is an incredibly difficult challenge and a place where most organizations lack personnel, support and documentation of their work. However, there are consulting firms and tools that can be applied to help with the ongoing review process.
The institution must be focused on how its data is being used and stored to understand the risks associated with sharing that data.
Bottom Line: Protect All Assets
Healthcare organizations face risks from many different types of supply chain vendors — from food suppliers and software makers to medical device manufacturers, pharmaceutical companies and day-to-day medical supply sellers.
Because these products and services are often deeply integrated into the delivery of care, a cybersecurity incident or other kind of disruption at any one of these vendors can degrade a health system’s ability to deliver care to patients and families.
To mitigate supply chain risk, healthcare organizations must know who all of their vendors and suppliers are, establish a third-party risk management program to assess their cybersecurity standards and compliance, and conduct reviews on a regular basis to ensure their suppliers remain compliant with all requirements.