The number of patients affected by data breaches this year is on track to exceed last year’s total — healthcare organizations have already reported more than 330 breaches affecting 43 million people, which is rapidly approaching 2022’s total of 52 million impacted patients.
A major contributing factor to the prevalence of data breaches among hospitals and health systems is their heavy reliance on third party vendors, said John Houston, vice president of information security and privacy at UPMC, in a recent interview. He added that the number one priority for a hospital leader in his role should be to manage third party risk.
On Thursday, an organization that Houston is a part of released recommendations on how providers can better address the cybersecurity risks linked to their third party reliance. The organization — called the Health 3rd Party Trust (Health3PT) Initiative — was founded in 2018 to bring together leaders from providers, payers and other healthcare organizations to share best practices and create a more standardized framework for managing third party cybersecurity risks in the healthcare industry. Some of the group’s recommendations included ensuring that contract language ties financial terms to a vendor’s data management transparency and establishing metrics and reporting requirements for organization-wide vendor risks.
Third party risk management practices in the healthcare industry are usually outdated and/or borrowed from other sectors, Houston pointed out. Because of this, they are often inadequate for addressing the challenges posed by modern technology innovations like cloud and AI.
This leads to inconsistent risk management outcomes — as seen in the many vendor-related security events and breaches occurring in the healthcare world. This year’s MOVEit data breach is a prevalent example. This hack has affected millions of Americans’ personal information, including patients at Johns Hopkins Medicine in Baltimore and Harris Health System in Texas.
MOVEit is a commonly used piece of software that allows organizations to transfer data between various systems and networks. The massive data breach occurred because hackers found a vulnerability in the software before most organizations could update it. In a circumstance like this, a hospital’s data can be at serious risk if any of their partners use MOVEit and haven’t patched the vulnerability — it’s difficult for hospitals to manage this situation when they work with hundreds of third party vendors, Houston pointed out.
He added that in the past two years, every one of UPMC’s data breaches that were “of any significance” have involved a third party holding the health system’s data.
“If I go back to the year 2000, almost all of UPMC’s data was housed within our data centers, and all of our applications ran out of our data centers. The responsibility to secure our environment was on us directly because it was our data centers that were running the systems. If you fast forward to today, probably 50% of our processing is in the cloud somewhere, and many copies of our data are in the cloud. And then if I go forward five or 10 years, I would say almost all our processing is going to be in the cloud,” Houston explained.
Unfortunately, hospitals weren’t prepared for this transition from being in charge of securing their own data to having to worry about the security practices of their hundreds of third-party partners. Consequently, they haven’t exactly come up with the right risk mitigation strategies to address it, Houston declared.
To remedy this problem, Health3PT gave providers six recommendations on how to better manage cybersecurity risks associated with third party data management.
- Providers should use concise contract language that ties financial terms to a vendor’s transparency, assurance and collaboration on data security matters.
- The industry must create a risk tiering strategy for third-parties that determines the frequency of data security reviews, the level of due diligence and the priority of remediation actions.
- Providers must ensure they are receiving appropriate, reliable and consistent assurances from third parties about their security practices.
- When data security issues are identified, providers must quickly follow-up with vendors to close the identified gaps and implement corrective action plans.
- Because security and risk management is an ever-evolving landscape, providers should seek regular updates from vendors to ensure continuous assurance of their security capabilities.
- Providers should establish metrics and regular reporting requirements for organization-wide vendor risks, as this boosts transparency and regulatory expectations for the healthcare industry.
Photo: chombosan, Getty Images