Third-Party Risk Management, or TPRM, is a growing concern for healthcare organizations. According to the 2022 Ponemon Industry Report, 63% of respondents stated that while cybersecurity incidents involving third parties are increasing, they feel ineffective at controlling third-party risk. Additionally, 55% of healthcare organizations had experienced a data breach in the twelve months before the survey. Unfortunately, the picture being painted by the respondents isn’t very positive.
Effective TPRM is vital in ensuring patient data protection and organizational resources. Threat actors continue to shift their focus to third-party providers, as was seen with the attacks on Kronos, Elekta, Meta, and many others. . Many attacks are carried out by criminal or state-sponsored organizations, and changing economic and geopolitical movements have spurred these threat actors to seek new revenue streams. Attacks with a “one-to-many” effect like those mentioned above can have massive impacts on the healthcare industry.
While ransomware may get the biggest headlines, attacks on third-party vendors can be just as detrimental to a healthcare organization. Patient care and hospital operations can be directly impacted, while Personal Health Information (PHI) and other sensitive information are subject to compromise. Cyber incidents targeting third-party hospital providers can also impact healthcare organizations through extended system downtime, transactional processing delays, and even patient care delivery disruptions. The Kronos attack is a perfect example of a third-party risk many organizations didn’t account for in their incident response plans. The attack impacted the human resources tools used by many organizations to capture time records for payroll, coordinate scheduling, and other vital internal business operations services. It’s important to remember that third-party risk can come from any number of on-premise or cloud-based service providers used in various hospital departments. Every incident, delay in service delivery, and fine places a heavy financial burden on healthcare organizations.
Building a TPRM program is an effective way to counter the growing risk, but many organizations are still far behind. Only 38% of responders in the Ponemon study knew what network access third parties had, and only 45% could distinguish exactly which third parties had access to the most sensitive data. Those numbers represent a significant amount of risk to healthcare organizations. The next big challenge for many healthcare organizations is the ability to assess the security practices of third parties and appropriately control access as part of a TRPM program. It can be a complex topic, but Fortified Health Security can help address these challenges. To learn more about TPRM and how to get your program started, check out this presentation or contact us to speak with one of Fortified’s security advisors.