Cyber attack vector du jour – Third party digital ecosystem

The data breach at CHI Franciscan Hospital in September is a recent example of what has been a troubling increase in cyber-attacks on the healthcare industry – entry through a trusted third party.

The common attack vector between this breach and many others, including the Mass. General Hospital breach in June, is a healthcare provider's third party, or "business associate," as defined by the Department of Health and Human Services. Breaches via a third party are a rapidly growing technique of bad actors looking to circumvent security controls put in place by sophisticated security teams. It's less taxing on bad actors to simply breach a third party with weak controls and enter secure networks via a trusted connection.

Third party breaches continue to occur despite changes made over three years ago to extend HIPAA Privacy and Security Rules for protection and control of personal health information to business associates of covered entities that receive protected health information, such as contractors and subcontractors. In a recent Deloitte survey of 170 organizations, 87 percent of the respondents said they have faced a disruptive third-party incident in the last two to three years. To complicate the issue even more, E&Y cited that almost half of firms in their study still use spreadsheets to track third party issues.

While the growing number of third-party related breaches points to the critical need for healthcare providers to establish third-party cyber risk management programs, it also reveals the magnitude of the challenge for business associates.

Answering questionnaires from a multitude of upstream business partners is time consuming and costly. Wouldn't it be easier on everyone if an exchange existed to prevent the repetitive security questionnaires and on-site visits? How about performing one security assessment, updating it frequently and sharing with all upstream business partners?

This article examines those challenges and prescribes strategies both customers and third parties should take to streamline the assessment process their customers require.

Third-party cyber risk management: Four key strategies

It's imperative that you move from a compliance-focused to risk-based strategy. Emailing a questionnaire to your third parties and storing them in your GRC tool is not enough. Without a risk-based process, you will continue to struggle answering the most important question, "Which of my third parties pose the most risk to my enterprise today based on the current threat landscape?"

Here are four key components of a sound strategy and the questions you should ask yourself to help reduce complexity, costs and risk from your digital ecosystem of third parties:

1. Identify – Maintain an updated and dynamic inventory of your third parties: Ensure you have a complete view of your third parties and the changing nature of 1) your business relationship with each and expansion or contraction in your relationship, and 2) their business changes – acquisitions, divestitures and potential breaches.
1.1. How can you work with lines of business to ensure you're being included in the RFP stage – rather than after the third party contract has been signed?
1.2. Is the proper contract language being included that provides assessment rights?
1.3. How are you alerted when your relationship with one of your third parties changes?

2. Assess – Understand your inherent risk from each third party. As part of your overall strategy, ensure that you dynamically document inherent risk from your digital ecosystem.
2.1. What risk do you have from each of your third parties?
2.2. What impact would you incur if they were breached?
2.3. How do you interact with each?
2.4. Do they have access to your customers' data?
2.5. Do you access their systems?
2.6. Do you access a payment portal or any other systems? Do you provide a critical component in your customer's manufacturing process?

3. Mitigate — Tier your third parties and do proper – and continuous – security due diligence on each. Different levels of relationships and access require different levels of due diligence. Trust (i.e., self-questionnaire) is not as accurate as verify (a validated assessment). Understand that point-in-time assessments likely meet regulations, but do not provide true risk management oversight. Work with your third parties to remediate critical issues in a timely fashion.
3.1. Which of your third parties require a fully validated evidence of controls assessment?
3.2. Which only require self-questionnaires?
3.3. How are you prioritizing which of your third parties need the most attention based on the latest attack vectors?
3.4. Which need no assessment at all?
3.5. How often are you updating your assessments?
3.6. Are you seeing an inside/out and outside/in view of their security posture?
3.7. Do you have outstanding remediation issues from your third parties?

4. Monitor and Collaborate – Your third-party portfolio must be continuously monitored for state changes. Collaborate with your third parties to improve their security posture and lower your risk. Use analytics to monitor new threats that exploit weaknesses in your third parties' controls. Communicate effectively with your third-party portfolio to understand your exposure to recent threats.
4.1. What type of analytics are you running against your third party assessments?
4.2. How do you know which of your third parties pose the most risk to your organization?
4.3. Are you correlating threat intelligence with weak controls in your third party portfolio?

Third Parties – Streamlining the Response Process

Fueled by rapidly changing regulatory and threat landscapes, the swift evolution of third-party cyber risk management has caused third parties to feel under siege. For instance, most vendor pain points emanate from three attributes that have come to define today's risk management strategies: complexity, cost and compliance vs. risk management.

1. Remove Complexity —

Problem: Organizations use different data gathering questionnaires and assessment methodologies - often customized to meet their unique needs. Third parties are being asked to complete many different flavors of assessments – some self-attestation, others on-site assessments.

Solution: Reduce complexity by proactively building into contracts with your up-stream partners the ability to proactively provide them a standardized assessment on a quarterly basis. Be assessed once, share with many.

2. Reduce Costs —

Problem: It's expensive and time consuming to complete a multitude of questionnaires – all asking basically the same questions – many times in a calendar year.

Solution: Reduce costs by providing up-stream partners a comprehensive and up-to-date assessment at defined intervals. Proactively ensure them that you're not susceptible to newly released cyberattacks. Use your excellent security posture as a business enabler to win business and increase revenue.

3. Mitigate Risk –

Problem: The majority of third-party cyber risk assessment requests are geared toward compliance, as opposed to taking risk-based approaches to identify and mitigate real issues based on actual threats and countermeasures.

Solution: Follow security best practices by asking "what threats am I exposed to? How do I need to mitigate against that? And what's the next thing I need to be worried about?" That context is key to adopting a risk-based vs. compliance-based approach to addressing cyber risk exposure.

Having safeguards and a strategy in place specific to third-party cyber risk management have never been more crucial to mitigating risk from your digital ecosystem. As reported by the Ponemon Institute, nearly 75 percent of IT executives surveyed agree that third-party risk is serious, while 21 percent of respondents said the risk is significantly increasing.

To understand and implement a successful third-party cyber risk management strategy, companies must fully understand the risks a third party poses to them based on the nature of their relationship; understand the controls that a third party has in place to mitigate risk; collaborate with the third party to achieve an acceptable risk posture; and continuously monitor the security posture of the third party over time. Only then does an organization have visibility into their entire risk portfolio that business associates present.

Fred Kneip is CEO of CyberGRX. Prior to CyberGRX, Fred served in several senior management roles at Bridgewater Associates, including Head of Compliance and Head of Security, and he was an Associate Principal at McKinsey & Co., where he was a leader of the Corporate Finance practice.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.​

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars