Risks introduced by third parties could be significantly contributing to healthcare cybersecurity risk.
The rising number of non-IT devices plugged in, or connected wirelessly, to hospital networks far overshadows the number of PCs, laptops and workstations in most facilities. What is more, most of these IoT devices have no security protections and cannot easily be patched. Medical devices are growing at 20% per annum and are often owned and managed outside of hospital IT and Security teams. No wonder then, that hospital CEOs are becoming concerned at the patient safety ramifications of one or more of these devices being compromised by a malicious hacker.
Widespread automation and cost cutting across hospitals is leading to a rising trend of the outsourcing of hospital building management systems (BMS). This includes everything from electrical and water distribution to elevators and HVAC. Most of these outsource agreements are with companies from many miles away – often out of State, or even out of Country, who manage systems remotely via a virtual private network (VPN). Usually governed by weak or incomplete third-party contracts which are rarely audited, these agreements extend the hospital attack surface into the outsource company complete with all of their security vulnerabilities. Scholars of prior cybersecurity attacks will be quick to point out the parallels here between Target Stores and its HVAC services provider Fazio Mechanical, which resulted in one of the largest cyber-thefts of credit card numbers as well as most of Target’s customer information. The breach cost Target millions in compensation, restitution and credit monitoring, as well as the jobs of everyone in leadership and two class action lawsuits.
The repercussions of third-party vendor breach in healthcare could however, be far more nefarious and impactful given what is connected to the typical hospital network today. That is, unless networks are properly and securely segmented to isolate hospital building management systems, operational technology, medical devices, and business IT systems. However very few hospitals have even started to securely segment their large flat networks in order to isolate their higher risk endpoints.
The need to evaluate third party risk is critical
The need therefore to evaluate third party risk is critical, yet most hospitals currently don’t do this well - if at all. With thousands of suppliers, vendors, contractors and consultants in each hospital, manual assessment is simply too much to handle with the current number of security and compliance staff.
As healthcare leaders continue to monitor and evaluate what is meant by patient safety in their operations, it’s clear that today, patient safety means so much more than just avoiding medical errors or someone slipping on a freshly mopped hospital floor.