Third-party security risk is substantial – and many providers' readiness is substandard
Four out of five organizations surveyed for a report released Wednesday have experienced a cybersecurity breach precipitated by a third-party vendor over the past 12 months, according to chief information officers, chief information security officers and other C-suite leaders polled.
What's more, the report, from cyber services firm BlueVoyant, found that of the 1,500-plus security pros polled – at organizations of all types in the U.S. and abroad, including healthcare and pharma – the average respondent said their organization had been breached thanks to a vendor partner's own vulnerabilities more than 2.5 times.
A peek at third-party cybersecurity risk management posture at healthcare organizations, the study suggests that challenges and vulnerabilities with healthcare organizations' partner ecosystems have improved little in the years that Healthcare IT News has been reporting on how networks of outside vendors pose particular risks to health system security.
Indeed, the report shows that there are typically more than 1,400 vendors enlisted by the typical organization (of all kinds), and that visibility into those companies' security practices is more limited than many might suspect.
According to BlueVoyant, the survey shows that nearly one-third of those security pros (29%) say they have no way of knowing if cyber risk emerges in a third-party vendor.
What's more, fewer than one in four (22.5%) say they actively monitor their entire supply chain, and nearly a third (32%) say they only reassess and report their vendor's cybersecurity risk position semiannually or less frequently.
While 81% of these C-suite leaders say their budgets for third-party cyber risk management are increasing – up by 40% on average – the average staffing for internal and external cyber risk management teams is 12 FTEs.
"That four in five organizations have experienced recent cybersecurity breaches originating in their vendor ecosystem is of huge concern," Jim Penrose, COO of BlueVoyant, said in a statement.
"The research clearly indicated the reasons behind this high breach frequency: Only 23% are monitoring all suppliers, meaning 77% have limited visibility and almost one-third only reassess their vendors' cyber risk position six-monthly or annually. That means in the intervening period they are effectively flying blind to risks that could emerge at any moment in the prevailing cyber threat environment."
Organizations of all kinds need to employ more holistic, forward-thinking and data-driven strategies, said Penrose, to gain deeper and more consistent insights into the security readiness of their vendor partners.
"Overall the research findings indicate a situation where the large scale of vendor ecosystems and the fast-changing threat environment is defeating attempts to effectively manage third-party cyber risk in a meaningful way," he said. "Visibility into such a large and heterogenous group of vendors is obscured due to lack of resources and a continuing reliance on manual, point-in-time processes, meaning real-time emerging cyber risk is invisible for much of the time."
Attack surface has 'exponentially grown'
These findings come close on the heels of another recent report, from another cybersecurity company, consultancy CynergisTek, that shows a disconcerting number of hospitals and health systems in a suboptimal position with regard to security readiness.
In its annual report, published September 17, CynergisTek also cast a dim light on many providers' cybersecurity readiness – and also cited supply chain vulnerabilities as a particular area of concern.
Among the biggest takeaways was the fact that, somewhat startlingly, just 44% of the health systems it surveyed conform to the fairly straightforward security protocols outlined by the National Institute of Standards and Technology’s Cybersecurity Framework, or NIST CSF.
In some cases, said CynergisTek, which analyzed some 300 assessments of provider facilities across the care continuum (hospitals, physician practices, ACOs and business associates) against the NIST CSF, scores have trended backward over the past three years.
In particular, the report healthcare supply chain security is one of the lowest-ranked areas for NIST CSF conformance. It noted that this is striking, since the COVID-19 crisis has uncovered significant weaknesses in hospital supply networks.
"While healthcare’s focus on information security has increased over the last 15 years, investment is still lagging," David Finn, EVP of Strategic Innovation at CynergisTek, said in a statement. "In the age of remote working and an attack surface that has exponentially grown, simply maintaining a security status quo won’t cut it."
Caleb Barlow, president and CEO of CynergisTek, noted that the "rapid onset of remote work, accelerated deployment of telemedicine, and impending openness of EHRs and interoperability, have set us on a path where investments need to be made now to shore up America’s health system."
Even without outsized infosec investments, however, a framework such as the NIST CSF can offer a baseline level of security preparedness.
"Organizations that have invested in their programs and had regular risk assessments, devised a plan, addressed prioritized issues stemming from the assessments and leveraged proven strategies like hiring the right staff and evidence-based tools have seen significant improvements to their NIST CSF conformance scores," said Barlow.
Healthcare IT News is a HIMSS Media publication.