The healthcare industry possesses invaluable data in the forms of patient health information, personal identifying information, and payment card information. The industry is a treasure trove of information to be exploited by criminals. The risk of loss of that information exponentially increases when third-party vendors with whom information is shared are included in the risk matrix. This thought leadership essay presents a solution for large healthcare companies to secure the shared information while simultaneously contributing to an overall improvement in the cybersecurity of the healthcare supply chain.
Healthcare is under cyberattack
The 2020 HIMSS Cybersecurity Survey revealed interesting features of the cybersecurity threat. Over 70% of hospitals surveyed experienced a serious security incident. These included phishing and ransomware attacks that disrupted IT services, caused database breaches, and financial losses. The obligation to notify patients of a breach added to both the cost of the attacks and a loss of patient trust and confidence in the hospital. And more information is being entrusted to cloud computing and sharing between healthcare providers. Electronic health records will soon be shared across providers, with patients, and could suffer from a loss of confidentiality, integrity, and/or availability at any point along the chain of sharing. The risks will continue to expand as all aspects of healthcare treatment and administration move to a digital platform. Hospitals are so electronically connected that there are over 10 electronic devices used at a hospital for every hospital bed!
Healthcare providers and hospital systems do their best to protect information that resides on their network. They have sophisticated systems and protocols that provide adequate security to the information on the networks they operate and maintain. But what of the risk they cannot control? How does a hospital system or healthcare administrator protect the information in the hands of third parties? How do they undertake due diligence to make sure the products they rely upon in the hospital are manufactured with cybersecurity controls in place? In short, how do hospitals protect themselves and add trust to the third parties that matter most, the patients?
Securing the cybersecurity of the healthcare supply chain
Hospitals and healthcare systems generally have two ways available to promote cybersecurity hygiene through their supply chain: contracts and technology. To date, the majority have, at best, used the power of contract to encourage cybersecurity compliance amongst vendors and subcontractors. Two options exist in the power of contract: 1) requiring subcontractors and vendors to carry cybersecurity insurance and 2) mandating compliance with a cybersecurity regulatory framework. While these two options appear to be effective, in practice they fall short because of the difficulty of enforcement on the part of the healthcare company. The regulatory compliance is generally a self-attestation, without the ability to verify actual compliance with the framework and contract, and without periodic updates to ensure that the vendor is still in compliance with the framework. The result leaves the healthcare company with relatively toothless cybersecurity contractual provisions because there is no way for the company to enforce the compliance, let alone allow for the company to monitor continued compliance.
The ideal contract enforcement scenario to strengthen the overall resiliency of the cybersecurity of the healthcare supply chain is to use technology and follow the “trust but verify” approach to compliance. If healthcare companies incorporate technology into contract and compliance enforcement, the effect will be stronger, more reliable partners. The next paragraph explains how the solution would work in practice.
Technology in Cybersecurity Compliance and Contractual Enforcement
Large healthcare companies risk a breach of private information whenever they are breached, or a vendor with whom private information is breached. To lower the risk of negligently handling private information, the companies have cybersecurity risk provisions in contracts. But can the companies enforce the provisions? This three-step plan will help make sure the supply chain is complying with its contractual requirements.
1. Select a framework, or control set, for compliance
A healthcare company has three options for choosing a cybersecurity framework. The first is to implement a HIPAA cybersecurity framework, which is specific to the healthcare field and focuses on protecting the most valuable information a healthcare system possesses. The second option is to use a more generic cybersecurity framework, but one with wider acceptance, because the company’s supply chain may be wider than just healthcare companies. The third option is to customize a short framework of controls that must be implemented. This top ten or twenty list would be the absolute essentials that any vendor would use.
A narrower list provides less security, but it would make reporting easier on the vendors and compliance monitoring easier on the healthcare company. The selected framework should be reflective of that balance.
2. Provide a software license for vendors to submit compliance statuses
This is where the rubber meets the road. The healthcare company must improve upon self-attestation for contractual enforcement. They must require proof. The healthcare company should use a customizable framework compliance software application that allows the vendor to submit their control statuses. The healthcare company can then monitor contractual compliance. Non-compliant vendors will have to own up to that fact. Vendors that submit false statuses will be in breach, and worse, of the contract. This license not only allows for effective enforcement, but also pushes the vendors to implement the cybersecurity controls that protect the entrusted data and lower the probability of loss.
3. Monitor and make decisions based on statuses
Once the healthcare company has the statuses, it has decisions to make with deficient vendors. The vendor can be dropped, put on notice to remediate the deficiency, or, for critical vendors, could cooperatively improve the system. These decisions are based on the importance of the data shared, the access the vendor has to the healthcare company’s network, and the criticality of the vendor in the scheme of the supply chain. The collection and analysis of the statuses allow for tailored and informed decisions about the strength of the supply chain.
Some of the largest data breaches in history have occurred because a large company allowed a non-compliant vendor to become an entry point into their network. It is essential that large companies, with so much entrusted data at risk, understand the risk within their supply chain of a breach, or how their supply chain could be disrupted because of breaches that impact companies in their supply chain. By implementing compliance technology into their cybersecurity contract provisions, the larger companies can make informed decisions about to whom they are entrusting third-party data. The overall effect will be to push better cybersecurity hygiene into the system, making the entire base cybersecurity more resilient at each level.