“Hackers like to target hospitals because they perceive them as short on cyber security resources with smaller hospitals particularly vulnerable, as they are underfunded and understaffed to handle a sophisticated cyberattack.” - Omer Dembinsky, Data Group Manager at Check Point Software
The healthcare sector is a prime target for cybercriminals with the aim of accessing sensitive information of patients to be sold in black markets as health information has a long life and cannot change immediately. As a result, it is very valuable. Healthcare organizations saw 594 data breaches between January 1 and October 31 of 2022. Third-party vendors were a major cause of these breaches. Read more here.
This blog will discuss Vendor Risks in terms of healthcare as the sector saw a large number of cyberattacks in 2022 and is expected to continue the trend in 2023. For eg: A data breach of Advocate Aurora Health impacted 3 million people in October 2022. Advocate Aurora Health explained that this breach was due to third-party software installed on its website and a patient portal called MetaPixel.
ARE THIRD-PARTY VENDOR RISKS IMPORTANT TO EXAMINE?
“Many of the hacks and data breaches that happen historically, they have actually been started by a third party that was not actually fulfilling or executing the minimum amount of information security controls to secure the information of the customer that is hiring them.” - Leonel Navarro Segura, Information Security Global Practice Director Softtek
Vendor Risk Assessment is an important step in ensuring business continuity and also ensuring normal operations continue as quickly as possible post a disruption.
Let’s look at the below two scenarios on the importance of Vendor Risk Assessment:
1. Suppose you are the owner of an application that relies on cloud services to operate. When a disaster strikes, your cloud is down and subsequently your application will also not be accessible to your customers.
2. Assuming, you are the owner of a food delivery service and your delivery partners go on a strike for higher payment of wages. For those many days, the services of your company will be disrupted. It can result in not only losing your customers but also financial losses. You as an owner are not at fault here, however, if your vendor is facing a problem you might get impacted as well. In some situations, the company can even face severe reputational damage as well.
So, it is critical to determine that your vendors are reliable as well before agreeing to do business with them.
TYPES OF VENDOR RISKS
“Gone are the days when organizations could wash their hands of liability or damage to reputation from outsourced work due to ethics and compliance failures.” - Marjorie Doyle, former Chief Ethics and Compliance Officer, DuPont
1. Strategy Risk: Is there a possibility of your company’s confidential information being compromised by Vendors?
2. Financial Risk: Do the Vendors have enough finances to support their operations?
3. Compliance Risk: Are the vendors compliant with the various laws of the land?
4. Geographic Risk: Do they operate in a risky environment prone to natural disasters?
5. Technical Risk: Is their IT and Data Management system robust?
6. Supply Chain Risk: Do the Vendors rely on any third party for their services?
7. Resource Risk: Do the Vendors have enough resources to do the work that you are paying them for?
8. Replacement Risk: How easy it would be to replace them if the Vendors are unable to continue their operations?
9. Operational Risk: Would their day-to-day policies or operations put your company at risk?
10. Reputational Risk: Will working with the Vendor affect your reputation externally and internally?
Read more here.
Do we have any laws that would help healthcare providers take vendor risks seriously?
Note that the above-mentioned risks are not exclusive to the healthcare sector but are applicable to almost all sectors of organizations.
COMPLIANCE AND THIRD-PARTY RISK ASSESSMENT
“Besides, without a compliance framework, some organizations might not implement any security practices at all (or at least until it is too late). Organizations must constantly challenge themselves to not only remain in full compliance but also seek ways to go above and beyond to ensure the highest levels of security.” - Paul Koziarz, President and General Manager of Regulatory Compliance at Computer Services, Inc (CSI)
Let us look at the United States health care laws for example, the United States Health Insurance Portability and Accountability Act (HIPAA) ensures the protection of sensitive Protected Health Information (PHI). The act ensures the patient’s data will not be disclosed without their consent. HIPAA’s coverage extends to third-party associates who have access to Protected Health Information (PHI).
Section 164.308(a)(1)(ii)(A) states:
RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
Here organization covers both entities and business associates, namely third-party vendors. Read more here.
Non-compliance with HIPAA can have serious consequences for the organization and penalties can range from $100 to $50,000 per violation and a penalty of $1.5 million dollars per year for violations of an identical nature. Non-compliance can also result in jail time. India currently does not have a law equivalent to HIPAA, but for a country like ours with a huge population, it is really essential to have such a law.
CONCLUSION
As we have entered 2023, healthcare will continue to be a primary target for cybercriminals as the value of the information is much higher. However, even as healthcare providers are building up robust defenses against a potential cyberattack, these defense mechanisms may not be complete unless vendors are included in the preparation. It is like giving the enemy an opening and risking tremendous financial and reputational loss for your organization.
Gorisco has a wide range of experts who are experienced in defining and designing various solutions to help organizations mitigate their risks and resolve their problems.
At Gorisco, our motto is 'Embedding Resilience' and we are committed to making the organizations and their workforce resilient. Reach out to us if you have any queries, clarifications, or need any support on your initiatives.
To read our other blogs, click here. More importantly, let us know if you liked them or not through your comments.