As hospitals and health systems have improved their cybersecurity, hackers have still been interrupting healthcare by setting their sights on third-party technology companies and suppliers.
The February ransomware attack on UnitedHealth Group claims processing subsidiary Change Healthcare was the "most significant and consequential cyberattack in the history of U.S. healthcare," wrote John Riggi, the American Hospital Association's national advisor for cybersecurity and risk, in an Aug. 5 blog post.
"The bad guys have it figured out: Why hack or attack 1,000 hospitals when they can target the one common business associate and get all the data or disrupt all the hospitals that depend on that single mission-critical third-party provider?" he wrote.
But hospitals and health systems can take steps to protect themselves from third-party cybersecurity risk, according to Mr. Riggi:
1. Examine your third-party risk management program: Inventory your third-party vendors and classify the risks posed to each of them, down to their subcontractors (or "fourth parties").
2. Enact controls and cyber insurance standards based on identified risk: Include cybersecurity and cyber insurance requirements in business associate agreements with vendors and contractors.
3. Communicate third-party risk internally: Educate all departments and employees that purchase technology, services and supplies about your organization's cybersecurity requirements for vendors.
4. Prepare for incident response and recovery: Identify contingency, backup and continuity plans for you and all organizations that depend on your network in the event of a cyberattack and train staff to execute these procedures with regular downtime drills and cybersecurity exercises, inviting third-party vendors to participate and incorporating the plans into overall incident command and emergency preparedness functions.