Getty Images

Cyber Resilient Vendor Relationships for Healthcare’s Threat Landscape

A healthcare third-party vendor breach can have a devastating impact on multiple entities, which means it’s crucial to have cyber resilient vendor relationships to keep pace with these threats.

The threats targeting healthcare continue to increase in both their frequency and sophistication. And if the latest third-party vendor security incident is any indication, the need for developing a cyber resilient vendor management process will be crucial to reducing risks to the enterprise.

The 2020 Blackbaud incident is one of the best examples of just how great an impact a seemingly simple breach can have when it impacts a vendor. The cloud computing vendor provides services to a range of nonprofits, healthcare systems, and hospitals. 

The ransomware attack in question occurred between February 7 and May 20, 2020. Much like other double extortion incidents reported this year, the hackers exfiltrated a subset of data from a self-hosted environment belonging to Blackbaud’s clients before the hackers were locked out of the system. 

What’s worse, the vendors paid the ransom demand “with confirmation that the copy they removed had been destroyed.” 

But the ripple effect had already begun. Beginning in August, healthcare organizations – particularly those with related foundations – began notifying patients, donors, and prospective donors of a breach to their sensitive personal and health information caused by the Blackbaud incident. 

Northern Light Health Foundation was one of the first and largest victims included in the breach with 657,392 individuals affected. Within a month, at least another 708,690 individuals from Saint Luke’s Foundation, MultiCare Foundation, Spectrum Health, Northwestern Memorial HealthCare (NMHC), and Main Line Health, were added to the tally. It’s still unclear if more healthcare entities have been affected. 

Many of these individuals were likely unaware that Blackbaud held their data. 

The incident mirrors another massive vendor breach from 2019 – that of the American Medical Collection Agency. A hack on the business associate lasted for eight months before it was detected, affecting millions of patients across healthcare including Quest Diagnostics, LabCorp, and a long list of providers

The breaches serve as a reminder of just how great an impact a vendor breach can have across the sector. But given the long list of vendors, business associates, and other supply chain vendors, how can entities remain resilient and ready to prepare for an attack outside of their immediate infrastructure?

Third-Party Assurance 

Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission, explains there’s a dire need for third-party assurance, which is a way to build trust among vendors and other business associates and to maintain secure relationships.

One of the biggest threats to healthcare is ransomware, which affects every aspect of the sector today, from phishing campaigns to malware planted in organizations. These risks only increase given the number of entities connected to the network, as well, Barrett explained.

A lack of up-to-date software creates vulnerabilities within the network, too. For example, a major hospital system in Connecticut was hit with a ransomware attack five months ago and the system was down for more than 10 days. 

“Patients couldn’t make appointments, clinicians couldn’t get access to the electronic health records system, and all because of a malware infection that was brought in through someone clicking a phishing email that allowed the cybercriminal to take over the environment,” he explained. 

“When something like that occurs, the entire system and network is taken down,” Barrett added. “Not just the hospital, but all of their supported physicians and practices.” 

Again, these incidents demonstrate that an organization did not employ appropriate backups or have the contingency planning controls in place i to respond quickly and mitigate the a impact, Barrett stressed. 

These elements are heightened when organizations begin to look at phishing, malware, and third-party vendors. Barrett explained that organizations are balancing services, infrastructure, and medical devices, as well as giving entities access to their infrastructure. 

When combined with the above risks, many healthcare entities are lacking the appropriate controls over their security. Barrett said this includes allowing partners and staff to bring their own devices, instead of using designated smartphones which organization can control. 

Organizations are only as strong as the weakest link among connected partners, so it’s crucial to ensure all parties involved in day-to-day healthcare operations are operating with similar security controls. Third-party assurance allows entities to confirm that its partners – and those organizations with which they’ve merged – have taken their due diligence when it comes to security. 

“From a cyber perspective, [the threat landscape] is why organizations must put an emphasis on keeping their cyber infrastructure as highly secured as possible,” Barrett said. “We’re seeing a lot of foreign countries attacking biopharma entities developing a COVID-19 vaccine in an effort to steal intellectual property.” 

“All of these various factors are increasing the risks and risk vectors, certainly within healthcare today, where many of us are very focused on trying to respond to the pandemic,” he continued. 

“Organizations cannot afford to take their eye off the ball when it comes to maintenance and assurance of their cyber environment, as well as third-party assurance with vendors and services to keep the infrastructure secure.” 

Further, organizations need to be planning for these worst-case-scenarios and putting in appropriate controls. 

Barrett advocates for third-party assurance where policies are put into place that require organizations to go through building a framework around vendor categorization, determining the amount of risk they’re willing to accept with vendors, assessing the high impact of suppliers or other entities, and determining other services that not only require a third-party assessment but insurance through the organization as well. 

In fact, he noted that many cybersecurity insurance companies may now require third-party assurance to obtain an insurance policy, as well as ensuring the entity has the appropriate procedures and infrastructure in place before they will underwrite. 

Vendor Requirements 

In previous vendor management coverage on HealthITSecurity.com, Jane Harper, who’s now the senior director, information security risk management and business engagement at Eli Lilly, provided an invaluable checklist that organizations should use when attempting to simplify vendor relationships.

Those elements include involving the appropriate internal stakeholders. Requirements should be fully outlined during the contracting process, and leadership will need to monitor post contract signature, not just for SLA metrics, but privacy, security, and general risk management considerations.

Harper added that entities must also ensure any insurable risk related to the business relationship is covered in the insurance policy, while making sure appropriate contracts are in place before data sharing occurs and any insurable risks related to the relationship are covered in the policy.

The contracting language and process should also include these elements: 

  • Clearly defined service to be provided 
  • Data protection considerations 
  • Data privacy considerations 
  • Data ownership consideration 
  • De-identification of data if applicable 
  • Data destruction, return and archival considerations 
  • Right to audit 
  • Appropriate use 
  • Breach notification and remediation considerations 
  • Credit monitoring and reporting obligations in case of breach

NIST released cyber supply chain risk management guidance in February 2020, which can also help healthcare organizations develop effective best practices and industry standards to keep these relationships secure. 

“Today’s world of globalization, while providing many benefits, has resulted in a world where organizations no longer fully control—and often do not have full visibility into—the supply ecosystems of the products that they make or the services that they deliver,” NIST researchers explained. 

“Organizations can no longer protect themselves by simply securing their own infrastructures since their electronic perimeter is no longer meaningful,” they added. “Threat actors intentionally target the suppliers of more cyber-mature organizations to take advantage of the weakest link.” 

For Barrett, it’s important healthcare entities require their vendors to be accredited through a compliance program, such as HITRUST. Leaders should review those certifications and accreditation frameworks, which provide policies, procedures, and controls that need to be implemented. 

And these elements are what’s required to achieve third-party assurance through these programs. Barrett added that these programs require entities to stay on top of their security program and stay compliant. NIST and HIPAA also provide cybersecurity frameworks some organizations are using as part of third-party assurance. 

It’s also important today for the board of directors to require CISOs and privacy officers to report to them on a monthly or routine basis on how they’re spending money on implementing third-party assurance requirements, as well as providing reports on how they’re preparing and responding to an attack, Barrett explained.

“As they’re doing their own risk assessment to identify risks and to meet those third-party assurance requirements, clearly organizations need to look at those frameworks to meet those standards,” he said. “Also clearly state to the vendor that if you don’t meet these requirements, don’t even bother to get into work with us, as we will not do it. 

“You can’t afford not to: if they’re not willing to do so, organizations aren’t going to use their services,” Barrett said. “No one is willing to take the risk anymore. The risk and exposure has become so high from a PR perspective, that if you look at these breaches and impacts, it’s millions and billions of dollars of lost revenue, credibility, clients, or patients, never mind the overall impact.”

From a Vendor’s Perspective 

It’s true that healthcare providers will often want to make sure the burden is packed onto the vendor, Baffle CEO and Cofounder Ameesh Divatia explained. But there are several reasons that may not always work well, including that vendors don’t always have a massive insurance policy to cover it. 

Instead, vendors should be willing to take control and responsibility of the data as a data controller. Divatia added that the other challenge is accounting for user error. A vast majority of breaches occur due to the user, either intentionally or inadvertently. 

"Instead, try to find mechanisms where you protect your data in such a way, so that it doesn't fall into wrong hands, such as a data analytics controller,” Divatia said. “Determine how the data is going to be used, and then you mask it.” 

For example, data that includes names, need to be reformatted using tools to process records and tokenize the data. And for healthcare data, just encrypt it.  

“And that’s the whole concept of encryption: keeping control,” he added. “Data is the new oil: It needs to be harnessed and refined... But organizations need to make sure the data doesn’t become asbestos, a liability.”

What’s clear is that given today’s threat landscape in healthcare and the number of connected devices, transparency, asset management, and adequate controls are crucial to reducing the risk to the enterprise. Whether it’s carving out which party is responsible for specific data or response times in case of a breach, establishing those controls before signing a contract or applicable business associates agreement is necessary to maintain HIPAA compliance.

Next Steps

Dig Deeper on Cybersecurity strategies