Cybersecurity incidents at public and private companies have become alarmingly frequent and a large portion of them are due to third-party data breaches.
During a September Becker's Hospital Review webinar sponsored by Imprivata, Kylie Ruiz, Senior Product Marketing Manager at SecureLink, discussed common vulnerabilities in third-party access that lead to breaches, and practical steps healthcare organizations can take to mitigate their risks.
Three key takeaways were:
- Third-party access and security within healthcare is a significant risk. Third-party vendors and supply chain partners elevate the risk of security breaches because they enjoy privileged access to critical systems and information. Because they often connect remotely, their connection is inherently risky.
This sets the stage for cybersecurity breaches since healthcare organizations commonly provide third parties with broad privileged access using unsecured tools, assign shared credentials rather than unique user identities and do not manage third-party credentials as well as those of employees. These points of vulnerability render third parties an appealing target for bad actors who seek access to healthcare networks.
Statistics from The 2022 Ponemon Industry Report, Sponsored by SecureLink confirm this picture:
-
- 55 percent of healthcare organizations have experienced a data breach in the past 12 months, compared to 49 percent of organizations overall.
-
- 63 percent say the number of cybersecurity incidents involving third parties is increasing and they feel they are not effective at controlling third-party access. "Only 44 percent say they're able to provide third parties with just enough access and nothing more to perform their designated responsibilities," Mrs. Ruiz said.
The consequences of third-party data breaches can be extremely costly in terms of lost revenue, reputational damage, regulatory fines and increased advertising expenses to repair the organization's image and minimize patient loss.
- Resource constraints add to the challenge of managing third-party risk. Despite the importance of managing third parties, organizations often experience resource constraints in doing so. For example, SecureLink has data showing that 46 percent of those surveyed said they do not have someone assigned to manage third-party risk, while 45 percent said they do not have a comprehensive inventory of all third parties with access to their network.
"If there's no one focused on addressing and prioritizing the risks, it's no wonder that vulnerabilities abound," Mrs. Ruiz said. "And if you don't even know which vendors have access to your network, it's very hard to secure that access."
- Organizations can take practical steps to secure third-party access. To secure third-party access healthcare organizations can follow these proactive steps:
- Formalize a single workflow and method of providing access. "You want to standardize on a secure enterprise-grade method, ideally based on zero trust," Mrs. Ruiz said.
- Identify and verify third-party users by creating a comprehensive inventory for what third parties need to access and can access. With this, organizations can obtain complete visibility into their third-party networks and define access policies based on least privileged access — the minimal access third parties need to do their jobs.
- Enforce access controls for the access rights and privileges granted to third-party users. Those can include access notifications, connection summaries, approval workflows, access schedules and credential management.
- Gain visibility into access by defining which assets or types of sessions require monitoring and establishing methods and procedures for doing so. This final step to securing third-party risk is also helpful for demonstrating compliance in case of a regulatory audit.
With cyberattacks on the rise and their financial costs mounting, it is crucial that hospitals and health systems protect their access points and know their users' identities. "One of the leading causes of cyberattacks is doing nothing," Mrs. Ruiz said.
To register for upcoming webinars, click here.