Managing third-party risk: Building a secure healthcare ecosystem
Note: This is the second of three articles, sponsored by Zscaler, exploring how to manage third-party risk. The prior article in this series examines how healthcare organizations can secure the expanding attack surface in a highly connected environment. Finally, the upcoming final piece of this series will peer into the future of AI-enhanced security in healthcare cyber defense.
Awareness and concern over the cybersecurity risks presented by supply chain partners and other third-party vendors has reached an all-time high across all sectors. However, healthcare faces a unique dual threat: increased dependence on external partners and a barrage of cybercriminals seeking to exploit the expanding attack surface. As the industry faces unrelenting pressure from cybercriminals, the need to secure third-party relationships has never been more critical.
An era of disruption and change
In 2021, the Colonial Pipeline and SolarWinds caused disruptions across the country, and a massive data exfiltration caused by the Accellion File Transfer Protocol (FTP) broadly impacted the healthcare sector.
These major incidents led to federal action and prioritization of securing the supply chain. In the years that followed, that awareness has led to changes in most sectors to reduce the impact. But in healthcare, the understanding of the risks and patient safety impacts has not been easily translated into action. Indeed, third-party vendors have caused most healthcare data breaches every year since 2020.
Unlike most industries, the biggest risk of vulnerable third-party vendors is not just the data, however. Unsecured, undetected supply chain endpoints and devices are a serious patient safety risk. Healthcare saw the full-scale impact of weak partner connections and the danger of a single point of failure last year with the Change Healthcare cyberattack.
Owned by UnitedHealth Group, Change Health processes 15 billion healthcare transactions each year, and the Department of Health and Human Services confirmed the vendor is tied to one in three patient records. The weeks-long service disruption was unequivocally the worst incident seen in healthcare, as it impacted nearly every single healthcare network and forced patients and providers to go to unfathomable heights to deliver and receive care.
The impact and relevance of this incident cannot be understated: as patients, unable to have their prescriptions processed, were forced into hospitals to receive care for chronic conditions. The incident highlighted what industry stakeholders have been sounding the alarm on for nearly a decade: The continued expansion of supply chain vendors and medical devices without an equal amount of cyber support is a patient safety risk.
The large-scale incidents and long-term disruptions of last year were merely the culmination of several years where third-party and supply chain incidents, like the FTP cyberattacks of 2020, drastically increased in scope and size.
Following these trends, it’s clear that supply chain and other third-party connections will remain a key target for threat actors into the foreseeable future.
Getting to the root of the third-party challenge
For nearly 10 years, threat actors have successfully targeted the healthcare sector in force, leveraging the weakest, easiest to access endpoint to gain access to troves of patient data. In recent years, the shift has occurred not in the number of targeted attacks but in tactics: leveraging the vast number of third-party connections, devices, and other endpoints to hold healthcare hostage by disrupting care.
Not only is healthcare one of the most targeted industries, but it relies on a staggering number of vendors and devices to maintain basic operations. On average, a hospital has up to 1,000 vendors, from medical equipment and HVAC services to outsourced services and traveling nurses. Many of these vendors have hundreds of vendors of their own, bringing the third-party risk to what’s known as nth-party risk, meaning the web of vendor connections is impossible to calculate.
Simultaneously, the average hospital relies on thousands of devices, and larger hospitals can rely on tens of thousands of these technologies. What’s more, even the most advanced hospitals are using old and/or legacy products that have reached end-of-life and are no longer supported by vendors. In context, it’s clear why visibility and vendor management has become such a daunting task.
Targeting solutions with broad impacts
Moving forward, it is critical healthcare provider organizations and their business partners heed the lessons learned in these incidents and prioritize business continuity plans to build in safety nets that calculate possible losses of services for extended periods of time.
Industry stakeholders have long stressed that overhauling the procurement process and reducing the siloed nature of departments can reduce security gaps to enforce a cyber-first attitude of leadership and the business partners. While it’s impossible to significantly reduce the number of supply chain vendors, healthcare providers can lessen the risk of vendors by requiring all departments to only use vendors that prioritize cybersecurity and with healthcare experience. Further, requiring vendors to adhere to a “cyber hygiene” checklist—including regular patching, penetration testing, and security audits—can mitigate risks posed by legacy systems or neglected updates.
On the business side, hospitals should use a risk matrix to identify risks and fine-tune the procurement process to close obvious gaps like failing to involve the security team or a security assessment, at a minimum. This process should also include establishing a system for continuous risk monitoring to evaluate third-party vendor activities and flag anomalous behaviors, ensuring ongoing vigilance against evolving threats.
Industry stakeholders also recommend healthcare entities prioritize identity and access management to stymy the access risks posed by the large scale of vendors. This includes evaluating the extent of widespread privileges across the enterprise and employing two-factor or multi-factor authentication on critical endpoints.
Additionally, organizations should establish failover mechanisms and identify backup vendors to ensure continuity of critical services in case a primary vendor is compromised. And regularly conducting tabletop exercises with vendors can help improve coordination and response times during a security incident.”
Access management best practices also include an assessment of user rights to limit the overall footprint, using multi-factor authentication (MFA) for remote access, and limiting privileges to only what the user needs to perform their work duties.
However, healthcare organizations must go beyond traditional access controls when managing third-party vendors. Trust should not be assumed based on security checklists or initial assessments alone. Just as hospitals segment and monitor their internal users, third-party vendors must be granted tightly controlled, segmented access — with continuous monitoring and enforcement of zero-trust principles. Removing broad VPN access and instead enabling secure, brokered access solutions can prevent vendors from becoming a backdoor into the network. These approaches ensure that each vendor connection is limited to the specific applications or data they need, reducing lateral movement risk and mitigating the impact of vendor-originated breaches. Protecting the organization from external vendors’ mistakes must be treated with the same rigor as internal user risk management.
Healthcare entities should learn from the mistakes seen in recent incidents and review current policies and technologies and put in processes that increase resilience. Security leaders should also review their programs to address possible security impacts from leveraging specific products and/or vendors.
About Zscaler
Zscaler, a leader in cloud security, helps healthcare organizations protect patient data and critical systems with its Zero Trust platform. As the healthcare landscape becomes increasingly digital, Zscaler understands the importance of robust cybersecurity measures in ensuring secure and compliant operations.