Risks introduced by third parties could significantly contribute to healthcare cybersecurity risk.
The rising number of non-IT devices plugged in or connected wirelessly to hospital networks far overshadows the number of PCs, laptops, and workstations in most facilities. Most of these IoT devices have no security protections and cannot easily be patched. Medical devices are growing at 20% per annum and are often owned and managed outside of hospital IT and security teams. It's no wonder then, that hospital CEOs are becoming concerned at the patient safety ramifications of one or more of these devices being compromised by a malicious hacker.
Widespread automation and cost cutting across hospitals is leading to a rising trend of the outsourcing of hospital building management systems (BMS). This includes everything from electrical and water distribution to elevators and HVAC. Most of these outsource agreements are with companies who are often based out of State, or even out of Country, and manage systems remotely via a virtual private network (VPN). Usually governed by weak or incomplete third-party contracts which are rarely audited, these agreements extend a company's vulnerability surface to encompass the third party's entire network and all its possible risks.
Scholars of prior cybersecurity attacks will be quick to point out the parallels here between Target Stores and its HVAC services provider Fazio Mechanical, which resulted in one of the largest cyber-thefts of credit card numbers as well as most of Target’s customer information. The breach cost Target millions in compensation, restitution, and credit monitoring, as well as the jobs of everyone in leadership and two class action lawsuits.
In comparison, the repercussions of third-party vendor breach in healthcare could be far more nefarious and impactful given what is connected to the typical hospital network today. That is, unless networks are properly and securely segmented to isolate hospital building management systems, operational technology, medical devices, and business IT systems the consequence could be life-threatening.
The need to evaluate third party risk is critical, yet most hospitals currently don’t do this well - if at all. Very few hospitals have even begun to truly understand the level of risk they are exposed to, much less to begin securely segmenting their large networks to isolate their higher risk endpoints. With thousands of suppliers, vendors, contractors and consultants in each hospital, manual assessment is simply too much to handle with the current number of security and compliance staff.
As healthcare leaders continue to monitor and evaluate patient safety in their operations, it’s clear that today, patient safety is dependent on so much more than just avoiding medical errors or someone slipping on a freshly mopped hospital floor.