The Change Healthcare breach disrupted services at hundreds of hospitals and physician clinics, and C-suite leaders are taking action to protect against similar future situations.
Steven Ramirez, chief information security officer and chief technology officer at Renown Health in Reno, Nev., said on the "Becker's Healthcare Podcast" the incident spotlighted the importance of diversifying vendor partnership. Having a single vendor puts hospitals at risk because even the largest and most powerful companies can fall victim to a sophisticated cyberattack.
Mr. Ramirez said many health systems have renewed energy around examining their enterprise third party risk. They are initiating security assessments as part of their overall risk management and business continuity disaster recovery.
"We saw how important business continuity was during the Change Healthcare attack and there's been a lot more zero days we've seen as of late," said Mr. Ramirez. IT leaders need to stay on top of the latest news and patching to secure their systems.
Renown is examining its third party vendor strategy and services, identifying the data sent over and potential vulnerabilities. The leadership team is asking simple questions, such as:
- Are there other ways we can send data?
- Can we send reports differently?
- Can we send more de-identified data?
- Do vendors really need all the data we're sending?
- What happens if service is disrupted?
"You want to really understand that if there was an interruption, how will that impact your business and is there a plan B?" said Mr. Ramirez. "When we're looking at plan B, are there components that can be done as a workaround? Is this something we can do on paper? Do you need to have a separate vendor like an Equifax, for example, if something like that were to go down? Or even have a plan C?"
In the past, Mr. Ramirez said his team conducted business impact assessments on important vendors, but didn't look deeply into the overall magnitude of the impact of the organization. Now, they're diligent about ensuring the security posture of vendor organizations before approving more data collection. His team has also considered beginning to collect types of security controls some partners have.
"The third party vetting process is just now starting to evolve from these big high profile events that we've seen," he said. "It's going to be something we'll continue to have to keep a pulse on, and I think that can be something I'm hoping the feds start to crack down on a lot."
Even as health systems dig deeper into cybersecurity and risk management, leadership teams should remain nimble to accommodate for the fast pace of change. Cyberattacks are becoming more sophisticated and threat actors are using social engineering to manipulate victims. But resources aren't endless and IT leaders have to be mindful of return on investment.
"Throwing money at an issue isn't always going to fix it," said Mr. Ramirez. "A lot of organizations could be doing everything right."
He suggested making sure health systems have the fundamentals of patching and vulnerability management perfected so organizations are in the top 5% of most secure.
"Threat actors want that easy, lucrative target. They don't' want to put a lot of work into getting into your organization," Mr. Ramirez said. "The more hurdles that are there, they'll hopefully move on. Having that mindset will really make an organization successful."