4 Steps to Prevent a Third-Party Data Breach
As the lessons learned from the LabCorp and Quest Diagnostic's patient data hacks fade from our collective memory, we must remember that attacks on corporate health systems and government networks are occurring with greater frequency and impact. Breaches due to third-party vendors being given too much access to systems, networks, and applications have resulted in the exposure of millions of patient data files – and the number of instances is going up.
While protection from a vendor data breach involves many of the same practices used to protect IT resources from other threats, there are some steps specific to third-party protection that can prevent or lessen a catastrophic breach.
There are four actions every healthcare organization should take to avoid third-party data breaches. They are:
- Vet your vendors, both before and after signing a contract
- Make sure every vendor support rep has a unique account
- Ensure that vendors can only access the specific resources needed to do their job
- Record and audit all vendor user activity
1. Vet your vendors
Given the obvious risks in granting a third-party vendor access to your enterprise means due diligence should be a centerpiece of your defense strategy. A vendor security risk assessment must be part of the new vendor acquisition and contracting process. That assessment should involve a vetting process that occurs both before and after contract signing. Having a process to regularly review vendors should include understanding changes in their security posture, financial condition, and other risk factors. A program of continual assessment (annually is sufficient) will keep your vendors on their toes and you informed of any emerging risks.
2. Make sure every vendor support rep has a unique account
Sharing credentials is the cardinal sin of most compliance regulations and is a definite no-no. While it may be convenient to assign a vendor to a single account, shared credentials make it impossible to attribute a root cause to any damaging action or activity. So, if you are managing vendor credentials in your internal directory services you may want to consider delegating this to your vendor rep since they have more day-to-day knowledge of their employees’ status. Plus, it keeps you from having to sync up lists frequently to prevent terminated vendor employees from having access to your systems.
3. Give vendors exactly the access they need and nothing more
Vendors tend to be given “broad spectrum” VPN access to corporate assets even when they only need access to one or two servers – or even a singular database. And yet vendors are routinely given full protocol and administrative access. Handing over full network access to vendors is usually carried out in the name of efficiency, given the difficulties of manually isolating networks and creating the proper vendor access controls. However, new tools and technologies now exist to automate these tasks. Vendor Privileged Access Management (VPAM) can limit and contain vendors permissions while giving them sufficient access to what they need to do their jobs. Specifically, vendors are given least privileged access which ensures that vendors only have access to the necessary resources to provide support.
4. Audit all vendor activity
It’s not enough to know every user who can access your corporate resources and have them fenced in to prevent collateral and deeper damage in the event of malicious activity. Good logging and audit tools are essential, both to catch trouble before it happens and track down the source after an incident. Vendor access audit data should be centralized and easy to access.
Key takeaways for vendor management
These basic, but important steps are easy to implement and help prevent third-party breaches. More sophisticated methods include enhanced real-time monitoring, anomaly detection, patch management and endpoint protection. These 4 steps are urgent and should be the drivers behind implementing a vendor management program that will greatly mitigate your third-party vendor risk.
About the Author:
Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and a B.B.A in Management Information Systems. Tony is currently the CISO of SecureLink, a vendor privileged access management company based in Austin, Texas.