The biggest security challenges in working with third-party vendors, and how to avoid them
Healthcare continues to come under attack from cybercriminals looking for easy pickings. And one of the weak links in the healthcare chain is connections to third-party vendors that hackers can exploit to break into hospital networks.
So what can healthcare information security teams do to protect against penetration through third parties? Cybersecurity experts point out the specific vulnerabilities and offer a variety of suggestions for actions to be taken.
Although the third-party challenges to a healthcare provider around cybersecurity tend to be vast, there are several prevalent, top-of-mind and significant challenges currently within the industry, said David Stanton, a managing director and a cybersecurity expert at Protiviti, a global consulting firm.
Three of the major challenges imposed by third-party vendors include effective software and IT asset lifecycle management; holistic, accurate, insightful and forward-thinking vulnerability and configuration management; and risk management and compliance due diligence aligning to leading industry practices.
"The counterpoints or antithesis to building an effective cybersecurity program within these areas revolve around being constantly driven by the business to increase profitability; to unequivocally support business initiatives without infusing basic security by design concepts; to quickly and effectively perform application integrations; to achieve synergies in regular M&A activities; and most critically, to enhance patient care," Stanton said. "These general drivers perpetuate some of the major fundamental challenges that exist within the industry."
First, most healthcare providers have a procurement governance issue, especially the larger, more distributed multi-state providers, he said.
"Authority to purchase IT and IT security impacting assets tends to exist within a wide spectrum of involved employees and management levels without the proper governance to trigger additional, standardized risk management controls," he explained. "The trick in remediating external risks is to require and impose standardized procurement processes. The attempt is to specifically halt or limit 'shadow IT' and 'unauthorized, wasteful and/or unnecessary spend.'"
Second, an effective, holistic vulnerability and configuration management program without question is the most challenging to the industry, Stanton said.
"There typically are too many devices and systems with too many changes," he said. "Oftentimes, there is little insight into each device's security posture, business purpose, data use and sensitivity, operational responsibilities, and technical services used."
Big questions need to be asked, he said. Who is responsible for identifying and implementing vulnerability management patches? When will these patches be applied? What is the exception process if a device cannot be patched? Who is ultimately responsible for ensuring the asset is hardened to prevent unauthorized access? Who is responsible if a device is compromised or breached? To what extent must the hospital perform due diligence on a vendor to ensure they are appropriately protecting assets?
"Without asking these questions and understanding their risks, providers are under significant exposure to being breached or having to notify the U.S. Health and Human Services Secretary that their third party was potentially breached," he added.
And third, every third-party vendor is different – there is a need within the healthcare provider space to inventory, assess and manage the exposures imposed by each vendor, Stanton said.
"They each provide different types of services, they are also each legally managed through different contractual mechanisms," he said. "One vendor's risk is not necessarily the same as another vendor that performs a similar type of service. Ultimately, it is the responsibility of the healthcare provider to perform third-party due diligence in an effort to identify risks, confirm stated risks, and evaluate the effectiveness of controls used for remediation purposes."
Any third-party relationship hinges on just two issues: the level of verifiable trust versus the perception of risk, said Kim Jones, director of the Cybersecurity Education Consortium and a professor at Arizona State University.
"Let's take this into the personal realm for a second: Every single day we place our trust in third-party vendors of one sort or another," Jones said. "From the gas station where we get our gas to the market where we buy our groceries to the caregiver to whom we entrust our children.”
Jones added that all of the above examples involve relying on third-parties to perform services.
"In these personal examples, much of the trust that is generated is based upon some perception of other checks and balances surrounding that service," he continued. "While there are incidents of food poisoning and product recalls due to contaminated groceries, for example, these are relatively rare; there is an inherent trust by most people that the verification scheme surrounding this food product works, so our perception of the risk remains low."
But people have a different level of trust in formal verification schema when it comes to things of higher value, like their children. Despite all the certifications, licensing and so forth, most parents want to peek under the covers and see what's really going on at a child care center. Many will even seek out recommendations from personal friends versus relying on a licensing board. Here the value of the asset creates a heightened perception of risk that engenders a heightened need for verifiable trust.
"Now the problem, of course, with most trust verification schema is that (a) It's a point-in-time evaluation; and (b) It's no guarantee of future performance," Jones said. "The fact that trust was verified yesterday doesn't mean that the same level of trust exists today or will exist tomorrow."
Now from a healthcare organization perspective, what trust verification does one need to do to achieve some level of trust in a third-party vendor? Is the organization staffed to do that? Is it sufficient to the risk need? Is the organization willing to accept – as is done with groceries – some level of third-party verification such as an SOC II audit? How often does an organization need to repeat this verification to mitigate risks overall?
"These all are questions that we answer in our personal lives – sometimes reflexively – every day when dealing with third parties," Jones said. "The same applies to third-party vendors in the business world."
In a general sense, third-party vendor risk represents a good deal of the overall enterprise risk. Every healthcare provider is typically highly dependent upon several vendors. If the vendor was breached, went insolvent or imposed significant risk, the provider would be significantly impacted.
"CISOs should be very worried about the risks imposed by the third-party vendors and should be actively bringing these risks to the appropriate executive levels – Risk Committee, Audit Committee, board of directors, etc.," Protiviti’s Stanton said. "The provider's brand, patient perception of trust, and regulatory and legal state can be significantly impacted by failures within vendors."
The risks created from outsourcing always tend to roll up to the provider itself, he added. Unless appropriate and potentially significant due diligence is performed by third-party vendors, it is only a matter of time before the provider will be out of business, he contended.
Many smaller third-party vendors may struggle with maintaining a heightened level of security operational maturity because of lack of resources, Jones added.
"Larger vendors may find themselves the target of attack at a pace that is higher than your organization," Jones said. "Many service probers run complex networks that may exacerbate the probability of an error-related compromise that includes your data and services. Remember that while the third-party vendor may be responsible, your organization is always accountable.