HIoT and Third Party Vendor Risk



The rising number of non-IT devices plugged in, or connected wirelessly, to hospital networks far overshadows the number of PCs, laptops and workstations in most facilities. What is more, most of these IoT devices have no security protections and cannot easily be patched. Medical devices are growing at 20% per annum and are often owned and managed outside of hospital IT and Security teams. No wonder then, that hospital CEOs are becoming concerned at the patient safety ramifications of one of these devices being compromised by a malicious hacker.

Widespread automation and cost cutting across hospitals is leading to a rising trend of the outsourcing of hospital building management systems (BMS). This includes everything from electrical and water distribution to elevators and HVAC. Most of these outsource agreements are with companies from many miles away – often out of State, or out of Country, who manage systems remotely via a virtual private network (VPN). Usually governed by weak or incomplete third-party contracts which are rarely audited, these agreements extend the hospital attack surface into the outsource company complete with all of their security vulnerabilities. Scholars of prior cybersecurity attacks will be quick to point out the parallels here between Target Stores and its HVAC services provider Fazio Mechanical, which resulted in one of the largest cyber-thefts of credit card numbers as well as most of Target’s customer information. The breach cost Target millions in compensation, restitution and credit monitoring, as well as the jobs of everyone in leadership and two class action lawsuits.

The repercussions of third-party vendor breach in healthcare could however, be far more nefarious and impactful given what is connected to the typical hospital network. That is, unless networks are properly and securely segmented to isolate hospital building management systems, operational technology, medical devices, and business IT systems. However very few hospitals have so far even started to securely segment their large flat networks in order to isolate the really risky endpoints.

The need to evaluate third party risk is critical

The need therefore to evaluate third party risk is critical, yet most hospitals currently don’t do this well if at all. With thousands of suppliers, vendors, contractors and consultants in each hospital, manual assessment is simply too much to handle with the current number of security and compliance staff.

As healthcare leaders continue to monitor and evaluate what is meant by patient safety in their operations, it’s clear that today, patient safety means so much more than just avoiding medical errors or someone slipping on a freshly mopped hospital floor.

The author addresses these and other subjects at the South Dakota HIMSS annual Conference today 
in Sioux Falls, SD.


Subscribe to our periodic posts via email me to new posts so I don't miss them please.

Original stories and articles may be republished without charge provided that attribution is provided to the source and author. Articles written for, and published first elsewhere, are subject to the republishing terms and conditions of the host site.