Are Your Vendors Introducing Risk?

Cyber risks in healthcare are not just confined to data centers, to nursing stations, or to the PHI data that flows back and forth between health insurers, HIEs, government agencies, and patients. The risk matrix is much bigger than that.

It includes thousands of suppliers, vendors, and partners that stretch across the globe. Everything from business process and IT outsourcers in India, to complex manufacturing supply chains for medical equipment in China, Brazil, Germany, Australia, and the UK can all fall under the umbrella of cyber risk susceptible access points.

Alarmingly, this risk matrix in healthcare also encompasses the company that provides hot meals to your patients, and food and coffee for the hospital cafeterias, as well as the pharmaceutical companies conducting clinical trials, and biomedical engineering companies providing prosthetics, or an implantable medical device (IMD) that leaves the hospital with a surviving patient. Anyone who has physical access to your sites, network access to your IT, or who processes your data, regardless if they ever see one of your patients or not, can introduce risk to your business.

 

Dismaying Numbers in The Data

A vendor vulnerability index research report released by Bomgar showed that breaches occurring from third parties account for two-thirds of the total number of reported cyber breaches. The study found that only 46% of US companies said they know the number of log-ins that could be attributed to vendors, and that less than 50% enforce policies around third party access. Furthermore, 69% of respondents said they definitely or possibly suffered a security breach accomplished through vendor access in the past year.

Lets not forget that the Target breach of 40 million credit cards and 70 million customer records was caused by the weak security of one of Target's HVAC vendors. It cost Target over $300 million and the jobs of everyone on the leadership team as well as lasting damage to the store's reputation. In addition, it resulted in two expensive class-action suits, one by customers and one by investors peeved at the loss of Target's stock price following the incident.

The consensus by security professionals is that the risk posed by third parties is not only substantial, but it is increasing each and every year. Gartner stated in its June 2017 Magic Quadrant for IT Vendor Risk Management that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a board-level initiative to mitigate brand and reputation risk.

So why is it then, that health system CEOs are focused on other things? It could be that the healthcare industry has too many challenges, and third party vendor risk management (TPVRM) is just further down the list. It could also be the fact that very few healthcare delivery organizations feature in the prestigious Fortune 500 list, or it could just be that healthcare CCOs, CROs and CISOs, just haven't got the message across to their CEO yet. Either way they must prioritize their risk management strategies or they could suffer irreparable damage. 

 

This post was first published by the author here. 
Image Credit: Cristofer Maximilian unsplash

Read More

Cyber Risk Insurance Won't Save Your Reputation

A myopic focus on healthcare compliance has resulted in checkbox mentality, rather than a holistic risk-based approach to cybersecurity.

The financial and reputational costs associated with a security breach can be expensive and reputationally damaging. But in critical industries like healthcare, a cybersecurity attack could expose patients to some major safety risks that no amount of cyber breach insurance will likely fix.

Healthcare has historically had a myopic focus on privacy and protecting the confidentiality of patient information–largely caused by HIPAA, Caldicott, APA, PDPA, GDPR, and state breach rules. These have resulted in a skewed compliance-based approach to security by senior management and a 'checkbox mentality' of ‘have we done the minimum necessary’, rather than a holistic, risk-based approach to identify, protect, detect, respond, and recover from threats and vulnerabilities.

Risks change, and in healthcare those risks are changing quickly (as are legal liabilities and exposure to inadequate cybersecurity protection). CISOs, CROs, and GC/CLOs (General Council or Chief Legal Officers) are beginning to understand these changes and how cybersecurity posture and preparation are critical to protecting patient safety. Many of their bosses in the CEO seat are slowly beginning to understand not just their patient safety exposure in the age of digital inter-connectivity and cyber attacks, but also the potential impact on reputation.

“Cybersecurity is no longer a question of simple compliance,” said one hospital CEO at a recent US healthcare conference, “it’s about protecting the hospital’s reputation and ensuring patient safety while our systems are under attack and misbehaving."

"We purchased cyber risk insurance to cover all the un-budgeted costs associated with an attack. We keep our fingers crossed that we won’t need it.” he added.

But many insurers are now claiming that cyber attacks are an 'Act of War' and are therefore exempt from coverage under the terms of their policies, a fact that is currently being disputed in court by drug maker Merck and its insurers. So maybe the insurance, a company is counting on won't be there when really needed.

An OCR fine and the institution’s name being posted to the OCR 'Wall of Shame' is one thing, but patients being turned away or even held to ransom by cyber-attacks compromising medical devices are an entirely different order of magnitude!

Given our reliance today on HIT / HIoT systems to treat patients, there's a real risk that someone could die on us because critical systems are not available to diagnose and treat them following a cyber-attack. So too is the reputation hit when a hospital is forced to go on Full Divert following a cyber-attack as part of the British NHS had to when attacked by WannaCry in 2017. More recently, Campbell County Health in Wyoming, USA was forced to go on Full Divert following a similar cyber-attack.

“I would find it much more preferable to have HHS OCR camped out in my office examining all my papers following a breach, than the FBI walking the halls investigating a series of patient deaths at my hospital caused by a cyber-attack.” said a prominent San Francisco area CISO who preferred not to be named without clearing his statement with his employer. “One set of risks threatens executive jail time for wanton negligence, the other pretty much guarantees it,” he added.

“One set of risks threatens executive jail time for wanton negligence, the other pretty much guarantees it!”

Some years ago I did a walk-through of a hospital in Tasmania as part of its parent company’s risk assessment. The top floor was dedicated to a large and sprawling maternity department. Patient rooms with open doors and sleeping new moms and their infants lined either side of a wide corridor so nurses could come and go to check on both. Mothers and infants had similar plastic straps around their wrists with their name, D.O.B., and patient identifier. Neither were RFID-tagged. It would be very easy for someone to walk into a room, remove the sleeping child, and walk down the corridor to the elevator and take that straight to the underground parking complex. There was no physical security to stop them–only a few nurses moving in and out of rooms.

In our debrief, I asked the Obstetrician running the department what would happen if someone were to abduct a newborn. She protested at first to say that no one ever would, nor had anyone in the past – this was Tasmania - where there was a surplus of babies. But she did acknowledge that maybe this might be a problem in Sydney or Melbourne. After thinking about it for a minute, she announced, “In a small-knit community like ours, we would close! It would ruin our reputation and no one would come here to give birth again!”

The message here is that no amount of liability insurance is going to protect your reputation fully. It can cover costs for forensic investigation, breach notification, loss of business while down or recovering, and even for extortion payments if you are unable to recover critical data wiped out during a ransomware attack–but it can never cover what your customers think of you! Cyber risk insurance is valuable, but it’s no replacement for a well-functioning cybersecurity program.

Some of us continue to shop at Target following its massive breach of customer data some years ago, but most of us would never apply for a Target Card, nor would we ever consider using an email service provided by Yahoo for similar reasons!

“Once damaged, reputation is a big problem to fix” said the US hospital CEO. “It’s something that is becoming an increasing concern for all of us in healthcare. But how do you do that without spending a fortune on cybersecurity?”

Read More