kras99 - stock.adobe.com
Exploring healthcare's third-party risk management gaps
Health IT practitioners understand the scope of third-party risks, but barriers to employing effective third-party risk management strategies persist.
The healthcare sector is no stranger to third-party data breaches, making third-party risk management and privileged access management imperative elements of any healthcare organization's security strategy.
However, according to a survey by Ponemon Institute and Imprivata, just 36% of health IT respondents said that their organizations have a strategy to address privileged access risk that is consistently applied across the entire organization. Other respondents reported applying those strategies sporadically or having an informal or ad hoc strategy for addressing privileged access risks.
Ponemon Institute surveyed 1,942 IT and IT Security practitioners across the U.S., the U.K., Germany and Australia. Respondents represented healthcare, industrial and manufacturing, public sector and financial services organizations.
The results revealed that even as third-party risks continue to pose threats to healthcare and other sectors, persisting barriers, like a lack of governance and budget constraints, prevent organizations from effectively managing these risks.
Third-party security incidents have widespread impacts on healthcare
Nearly half (47%) of the total surveyed organizations experienced a data breach or cyberattack involving third-party network access in the last 12 months. In healthcare, 44% of the respondents said that their organization experienced a third-party data breach or cyberattack.
One of the most notable data breaches of 2024 occurred at Change Healthcare, which serves as a third-party vendor to healthcare organizations nationwide. When a cyberattack hit Change Healthcare in February 2024, it caused widespread operational and financial disruptions across the U.S. healthcare sector.
"Third parties frequently need access -- often privileged access -- to devices, systems, applications, and networks, but providing that access creates new risks for the organizations granting it. Third parties are a frequent target of bad actors because they typically have more access than they need," the report stated.
"Why? Because third parties present unique access management challenges: they're not employees, and it’s therefore difficult to track their lifecycle and employment status, to enforce multifactor authentication, or to appropriately set up their access rights. Armed with that knowledge, bad actors try to take advantage of third parties' access."
As a result of these third-party data breaches and privileged internal access gaps, 60% of healthcare respondents reported that confidential information had been lost or stolen.
What's more, 47% of healthcare respondents reported severing relationships with third parties, and 49% suffered regulatory fines. Loss of customers, business disruptions and reduced revenue were also commonly reported.
Confidence in the sector's ability to reduce these disruptions varies, the report showed.
More than 40% of healthcare respondents said that they anticipate that data breaches caused by third parties will increase over the next 12 to 24 months, and 45% reported agreeing or strongly agreeing that managing third-party permissions and remote access can be overwhelming and "a drain on our internal resources."
Top barriers to combatting third-party risk
Healthcare organizations have long struggled with third-party risk management, as they often rely on a wide variety of vendors that have varying access to sensitive data. The complex vendor ecosystem combined with large amounts of sensitive information make healthcare a top cyberattack target.
"Organizations clearly recognize the threat that third-party access poses, and many are trying, in earnest, to combat it," the report noted.
"But between low confidence in solution efficacy, lack of visibility, and the number of breaches, it’s clear that simply 'buying a solution' is insufficient for solving their challenges."
All healthcare respondents reported having a vendor privileged access management (VPAM) or a privileged access management solution, or both. However, employing a vendor tool alone is not enough to effectively manage these risks.
"Even with a VPAM solution in place, organizations have an uphill battle when it comes to full program success," the report stated, citing a lack of governance, regulatory complexity, and insufficient budget as top barriers to reducing third-party and privileged access risks across all surveyed industries.
The report revealed a lack of defined roles and responsibilities across organizations when it came to managing and granting access to third parties and vendors. For some organizations, these tasks are responsibility of the information technology team, while others leave it to general counsel or human resources departments.
These data points, though collected from a modest sample size, show that organizations across multiple sectors must mature their third-party risk management and privileged access strategies to stay ahead of threats.
"Organizations are aware of the threat, and while there are obstacles in the way -- lack of resources, manual processes, and centralized control, to name a few -- organizations are taking steps to ensure appropriate access to their networks and high-value assets," the report stated.
"The opportunity is to ensure that those steps are strategic and consistently applied -- for all privileged access needs."
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
