4 Keys to Manage Third-Party Cybersecurity Risk

October marks Cybersecurity Awareness Month, a global campaign dedicated to educating individuals, businesses and institutions about the importance of online safety. For health care leaders, this is an important month to raise awareness in this area, particularly since the frequency and sophistication of cyber incursions into health care have increased steadily.

Like a mutating virus, the tactics used by bad actors to steal information, delay and disrupt patient care, and shut down vital systems putting patient care and safety at risk, continue to evolve.

The disruption to care delivery occurs not only when hospitals are attacked directly, but also when mission- and life-critical third-party providers to health care are attacked by ransomware. The loss of critical dependent third-party technology and services may be even more wide-ranging and disruptive to patient care than when hospitals are attacked directly.

When UnitedHealth Group’s Change Healthcare was attacked by the Russian ransomware group ALPHV Blackcat this year, every hospital in the country felt the impact in one way or another. It was the most significant and consequential cyberattack in the history of U.S. health care.

Bad Actors’ Hub-and-Spoke Strategy

Hospitals become collateral damage from an attack on a third party, which is part of cybercriminals' highly effective hub-and-spoke strategy, notes John Riggi, AHA national adviser for cybersecurity and risk, in a recent AHA Cyber Intel blog. By gaining access to the hub (a third-party’s technology), they gain access to all the spokes — the health care organizations that are the customers of the third party. This provides malicious actors with a digital pathway to infect multiple covered entities with malware or ransomware, or to extract data.

In other words, the bad guys have it figured out: Why hack or attack 1,000 hospitals when they can target the one common business associate and get all the data or disrupt all the hospitals that depend on that single, mission-critical third-party provider?

Sound familiar? If we’ve learned anything from the widespread, long-lasting, debilitating impact of this spring’s cyberattack on Change Healthcare, it’s this: To sidestep the effects of the inevitable next health care cyberattack, hospitals need to prepare their business and clinical continuity procedures now for an extended loss of services.

4 Strategies to Bolster Third-Party Risk Management

1 | Scrutinize your third-party risk management program (TPRM).

Review your program’s governance structure and determine whether it needs to be revamped. Confirm that you have a complete, multidisciplinary approach to create a dynamic inventory of all third-party vendors that have access to your systems. Then make sure that your TPRM program identifies, classifies and prioritizes the risks posed by these vendors as well as their subcontractors — drilling down to the level of fourth-party risk.

2 | Implement third-party, risk-based controls and cyber liability insurance requirements based on identified risk levels.

Assess and formalize your policies and processes for incorporating cybersecurity into third-party risk management. These should include conducting periodic in-depth technical, legal, policy and procedural reviews of the TPRM program and business associate agreement (BAA). The BAA should include cybersecurity and cyber insurance requirements for the vendor and subcontractors, which scale with the level of risk presented by each business associate. In addition, implement annual policy and procedure cyber-risk assessments for vendors, as well as annual vulnerability and penetration testing assessments.

3 | Consistently and clearly communicate internally your TPRM policies, procedures and requirements.

Every individual, department and business unit within your organization that purchases technology, services and supplies should be educated about your organizational cybersecurity requirements for third parties and the potential cybersecurity risks to the organization that are involved in work using third-party vendors.

4 | Prepare intensively for incident response and recovery.

First and foremost, it is necessary on an ongoing basis to implement a process to identify all internal and external, third-party and supply chain providers of life- and mission-critical functions, services and technology. Identify which organizations or other providers depend on your organization for essential services. Which health care providers depend on the availability of your technology, services, networks and data? What is the contingency plan for these dependent organizations, should you be disconnected from the internet and go "digitally dark"? What impact will there be on your services if you are victim to a ransomware attack?

Second, in case a cyberattack disables your functions, services and technology, or those of a third party, ensure that they are sufficiently backed up and prioritized for restoration on an enterprise level. Develop operational, business and, most importantly, clinical continuity plans and downtime procedures for each of the internal and external critical technology and services dependencies. Ideally, these procedures should be able to sustain a loss of that life- and mission-critical function without significant impact or degradation of quality, for up to four weeks or longer.

Third, train staff to execute these plans proficiently. Conduct regular downtime drills and cyberattack exercises for a variety of scenarios at the individual, departmental and enterprise levels, and invite your third-party vendors to participate.

Last, but not least, incorporate your cyber incident response plan into the overall incident response plan, and integrate the business continuity plans and downtime procedures into the overall incident-command and emergency-preparedness functions.