The healthcare industry possesses the crown jewels that the bulk of attackers are after: Personally Identifiable Information (PII). Data has become the new currency in the digital underground, consisting primarily of social security numbers, credit card information, health information, and passwords. Third-party vendor risk has become a popular topic amongst attackers and defenders mainly because attackers are leveraging third-party vulnerabilities to gain access to sensitive information, while defenders are trying desperately to keep the bad actors out and better understand risk management. One answer by defenders was the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was developed in order to help protect patient data and better secure a healthcare organization. With HIPAA as a template, there are several other areas that healthcare organizations should look at in more detail to better understand how to conduct third party risk management:
- Vendor Access to Medical Devices
- Medical Devices Running Legacy Operating System and Code Versions
- Third-Party Scripts and Plugins on Websites
- Access to Personal Identifiable Information (PII).
Vendor Access to Medical Devices
Vendor risk is felt most often when continued access to devices is required after install. Industrial and medical devices top the list of technology that requires ongoing support from vendors through the device lifecycle. Healthcare organizations spend a great deal of money on medical devices and most of them carry hefty support contracts. Third-party vendors are contractually obligated to support the medical device, but most contracts say little about how exactly the device will be supported or protected. Several medical device organizations require remote access that does not always follow cybersecurity best practices. It is the responsibility of the healthcare organization to enforce secure remote access and ensure that the medical device company only has the appropriate access to the device or devices they support. A common mistake that healthcare organizations make is granting VPN access with open elevated privileges to the device manufacturer. A seemingly simple access request quickly elevates the level of cyber threats the organization will experience.
Medical Devices Running Legacy Operating Systems and Code Versions
Many data breaches occur because of unpatched operating systems, applications, and code. Medical devices typically have a much longer life cycle than traditional corporate devices. Since the medical devices are often in service for ten years, they almost always fall outside the support operating system patch versions. This makes risk management difficult utilizing traditional patching methods. The best way to mitigate risk on medical devices is to adopt a zero-trust approach to network and data access. Micro firewalls should be used on devices that are unable to accept an agent along with separate clinical networks that only transmit device traffic. Risk assessments should be conducted with manufacturer participation to better protect the clinical network.
Third-Party Scripts and Plugins on Websites
Many healthcare providers have robust information security programs and do a great job with risk management. They make sure that networks, servers, and applications are well protected. One major piece of the information security puzzle outside their control is third party scripts and plugins on websites. Most websites utilize a combination of custom code and code from libraries and third parties. The third parties may specialize in something like analytics, web carts, and payment. The risk to the healthcare organization comes in the form of vulnerabilities in the third party that leaves the rest of the website or application open to attack. Cyberattacks are shifting to focus more on client-side attacks vs. server-side attacks. There are several ways to defend against website attacks like Magecart, Formjacking, and Clickjacking. The focus needs to be on layering protections through Web Application Firewalls (WAF), Runtime Application Self Protection (RASP), and protecting against client-side vulnerabilities.
Access to Personally Identifiable Information
PII is the cyber currency that most attackers target. Healthcare organizations can better control access to PII through an access assessment, sensitive data discovery, and data classification. Healthcare organizations must possess capabilities in order to assess who has access to what, how did they get the access, what are they doing with the access, and should they still have access? Sensitive data discovery is a critical component when trying to determine what information needs protecting. Data classification can support sensitive data discovery by tagging data that can then automatically protect itself by obligation being available to those with access.
The healthcare industry is at a critical point with risk management programs. Effective vendor evaluations, vendor risk assessments, and overall risk mitigation are more important to program success than ever. The Ponemon Institute has noted that data breaches get more expensive every year and continue to occur with increased frequency. Healthcare organizations are a very large target because of the volume of personal data that they house. Third-party risk puts the rest of the organization at risk by the way attackers move laterally in an environment. The good news is that there are many mitigating controls that organizations can deploy to bolster defenses against compromise. Ultimately, the best way to prevent third-party risk is to have a fully funded third party risk program.