As the healthcare ecosystem becomes more interconnected, managing third-party risk increases in importance for security and technology leaders. Smaller suppliers are a particular risk for health delivery organizations (HDOs). These small and midsize businesses often lack the budget and staff resources to implement robust security programs.
As a result, these smaller suppliers to HDOs bring a higher risk that their security will be breached, which can spread to their customers. This is an especially substantial risk in light of threat actors targeting these same companies with the aim of gaining access to their client’s data.
Cyber criminals have already proven the validity of this model. Recent research from Proofpoint and Ponemon found that 50% of HDOs experienced a data breach that originated from a third-party in the past two years, and only 44% of HDOs feel prepared in the event of a supply chain attack.
The Rising Risk of Third Party Breaches
The interconnected web of HDOs and the healthcare industry more broadly marks an increased risk of a third-party breach. More HDOs are collaborating to improve patient outcomes through data sharing and technology improvements. The issue here is that any strides toward interconnection also heighten the risk of threat actors moving through the supply chain to breach a higher-value target.
Of the 10 biggest breaches of healthcare data of the past 18 months, seven involved third-party vendors. The largest recent breach was in mid-2022 when mailing and printing services vendor OneTouchPoint disclosed a breach that impacted more than 30 HDOs. More than 30 million patient records were accessed because of the breach.
This was a massive breach of patient information and shows the possible impact of a threat actor gaining a foothold in a supplier that serves HDOs. OneTouchPoint is not a small company, and yet a breach in their systems results in many more organizations feeling the impact because threat actors can abuse the trusted credentials that suppliers possess. This cascading impact emphasizes the need for strong third-party risk management processes.
The use of trusted credentials is necessary for efficient interactions with suppliers, but they create an additional pathway for threat actors to exploit. According to Ponemon/SecureLink, only 44 percent of HDOs say they are able to provide third parties with just enough access and nothing more. Without an effective strategy to limit third-party access, HDOs, unfortunately, create more risk.
Adapting a New Third Party Risk Management Strategy
HDOs need a new third-party risk management strategy. The increased number of breaches using suppliers as entry points requires a more robust approach to protecting the supply chain from threat actors.
Security attestation forms, while necessary for compliance in many cases, require organizations to be upfront with the controls they have in place. Trusting supplier honesty is not a valid approach when the risk of data loss and negative impact on patient care is so high.
HDOs should instead adopt a strategy that collects intelligence from internet-facing and network-accessible assets into a centralized source of information for analysis and decision-making. This approach allows information security teams to understand the points of failure in their own internet-facing assets and those of their suppliers. Understanding suppliers’ actual security controls in place provides a more complete picture of the risk of a breach.
This new strategy has the extra impact of enabling a more proactive approach to securing critical systems. With a more proactive security strategy, HDOs are better prepared to manage the risk of a data breach.
The components of this strategy include:
- Collecting inventory of internet-facing and network-accessible connected medical devices and assets.
- Determining the security controls on those assets.
- Resolving any vulnerabilities on owned assets based on risk scoring.
- Communicating issues with suppliers to resolve problems that will impact the HDO.
- Continuous monitoring to easily track any issues that may arise.
- Increased monitoring on systems that third parties have access to.
The above strategy for managing third-party risk creates a more robust security posture and mitigates substantially more areas of weakness than the classic approach based on attestation forms.
How Asimily Enables a Proactive Third Party Risk Management Strategy
The Asimily platform is designed to enable a proactive third-party risk management approach through several key components.
Strategy: Collecting inventory of internet-facing and network-accessible connected medical devices and assets
Asimily is designed to passively scan systems, discovering information about internet-accessible devices and other assets. This scanning provides insight into which assets are attached to networks and a network topology to show interrelationships.
Strategy: Determining the security controls on those assets
Unknown or unmanaged internet-accessible assets remain one of the most substantial risk factors in terms of third-party breach risk. With Asimily, HDOs can be confident that security controls are accurately applied to connected medical devices, reducing the risk of malicious code infecting the network.
Strategy: Resolving any vulnerabilities on owned assets based on risk scoring
Risk-based vulnerability prioritization is one of the key factors in reducing overall breach potential. Asimily prioritizes vulnerability mitigation work based on their likelihood of exploitation and the impact of a successful exploit, allowing HDOs to focus on the internet-accessible devices most likely to be used as components in an attack chain.
Strategy: Communicating issues with suppliers to resolve problems that will impact the HDO
Asimily provides easy reporting to share back to suppliers so they can resolve any issues that could impact the HDO.
Strategy: Continuous monitoring to easily track any issues that may arise
Asimily monitors and detects misconfigurations, attacks, zero-day vulnerabilities, and anomalous behavior from IoMT, IoLT, and IoT devices. Asimily baselines the expected behavior for every device type and model and alerts you to any deviations.
Strategy: Increased monitoring on systems that third parties have access to
Asimily cuts through vendor clutter by tracking the assets that vendors have access to and what data is being transmitted back to them. This increased monitoring reduces the strain on health systems and provides peace of mind.
Asimily assists with monitoring for potential supply chain attacks to allow HDOs to focus on the important work of providing patient care. Asimily customers thus can be assured that they’re able to evolve their third-party risk management strategy for connected devices, reducing their risk and making their critical systems more secure overall.
To learn more about the Asimily risk remediation platform, download our Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk whitepaper or contact us today.