Third-Party Risk Assessment

Photo Credit: Michael Hiskey

'Healthcare needs a better third-party risk assessment approach'

This was the message I delivered to the HIMSS Global Conference in Las Vegas March 8th through 12th.

Modern Healthcare has become a "whole village” effort. This includes a growing number of third-party vendors, suppliers and partners, each of which provides specific but highly critical functions across healthcare delivery. When one of these third parties is cyber-attacked the repercussions can be alarmingly broad across multiple providers, and at the same time devastating for both patients and providers.

Just look at the impacts that the Synnovis and Change Healthcare attacks have had on patient morbidity and mortality, let alone the financial impact and disruption to providers of healthcare services. The 2024 ransomware attack by a Russian group Qilin, against UK pathology provider Synnovis, a partnership with two of London's largest National Health Service (NHS) Trusts, resulted in the death of at least one patient, a measurable impact on many others, and over 120 cases of low-to-moderate harm, according to NHS data. The financial impact of the UHG Change Healthcare attack by Russian group ALPHV / BlackCat forced the cancellation of procedures following pre-authorization failures and many people to go without their pharmaceutical prescription medications for many weeks - some of which were critical to their survival. The outage which affected a third of US health systems, forced many smaller providers to the edge financially, resulted in the closure of care providers and pharmacies, and had an immeasurable (largely unreported) effect on patient morbidity and mortality.

With such broad and devastating impact, critical third party vendors have become an easy high impact target whether the intention is to create leverage for an ransom extortion payment, or to cause disruption to a critical national industry of an another nation. And attacks against healthcare third parties are doubling every year according to the data!

This serious and now widely exploited vulnerability raises the question of how healthcare delivery organizations should more effectively assess, manage and plan for risks across their vendors, suppliers and partners? Plainly, expecting healthcare providers to risk-assess thousands of individual partners each year is a pipe dream given limited budgets and security resources. And the number of third parties is often in the thousands for each provider.

We therefore need to embrace a different strategy in the light of changing threats and risks - a more scalable approach to managing third-party cybersecurity risk in healthcare through standardized assessment frameworks and shared accountability. One that places more onus upon the third parties themselves to be secure and compliant and to provide evidence of the effectiveness of their security controls. This is especially important where many of those same third parties provide services to hundreds or thousands of different healthcare providers, and where compliance and security control objectives are often shared or very similar.

We need to agree as an industry upon a common framework, a common set of audit questions that can be embodied into an agreed set of audit and assessment control objectives, to avoid the mass duplication of effort we are currently dealing with on both sides.

Lack of Visibility

Understanding the scope of the risk surface is the first problem. With distributed purchasing authority, especially in academic medical centers, and legacy auto-renewing contracts, discovering just how many devices, applications, or other systems have access to a hospital's medical network is half of the battle.

One recent audit of a provider after a lengthy review of contracts and legal vendor agreements, discovered that the hospital's initial number was off by an order of magnitude. The provider was not only paying each year for services it hadn't used in decades, but the person who agreed to an auto-renewing contract had long since retired and in some cases had passed away. Random vendors it seemed, had legacy remote access to hospital networks to maintain and manage leased systems, and rather than shut down unknown remote access permissions, security had been told to leave these accounts up and running despite the risks, because of uncertainly of cutting off something or someone important.

A Common Risk Assessment

In his presentation, Richard examined the need to better assess healthcare third parties, whether HIPAA Business Associates or simple business partners and suppliers. 

"Right now" he claimed, "we have things backwards with payers and providers expected to assess each of their vendors. This is not only impractical given the numbers, but also prohibitively expensive in time and resources. We need to squarely place the onus on vendors to prove that they meet or exceed payer and provider security policies and standards. Not the other way around."

"We do this by having our vendors bring us proof that they meet OUR security requirements in the form of a SOC 2 Type II attestation from a reputable auditor, or an ISO27001 or HITRUST certification, where the control objectives can be easily mapped to OUR risk and compliance requirements."

"This requires third parties to get onboard with a set of standardized common security controls under a recognized audit framework to validate that common security compliance and risk control objectives have been met and have proven to be repeatable, rather than a one-off point-in-time validation. And repeatability is critical here", he added. "Just look at some of the third party breaches and how they followed shortly after a recent point-in-time assessment."

Some vendors will be ISO 27001 certified, others may have shelled out for HITRUST, but neither are cheap. Some of these compliance requirements however, may need to be cross-mapped to a payer or provider's specific risk assessment objectives. For others, an SSAE 18 SOC 2 Type II attestation may be easier and more feasible, while larger third parties like Microsoft or Cisco will readily have both ISO and SOC 2s available for their customers.

Perhaps the biggest argument for a SOC 2 attestation over a certification is who pays. Cybersecurity certification costs usually need to come out of the security budget. A SOC 2 is often completed by the same company that performs the organization's annual financial audit and so is usually billed to accounting rather than security. That makes it especially attractive if you are a CISO and have a tight budget.

Separate Annual Assessments can be Expensive for Vendors

Most healthcare providers share the pool of third party vendors that provide healthcare systems or services for pathology, PACS, EMR, Cardiology, billing, etc. They also share the same pool of business software vendors - Microsoft, CloudStrike, Cisco, Oracle, AWS, GCP, etc. Each year the healthcare sector loads up many of these vendors with the exact same audit questions to assess and validate security risk and compliance. That can be a massive hit upon those that don't have a current SOC 2 ready to send that includes mapping to demonstrate each of the audit control objectives requested.

While some third parties have made the move to SOC 2s, other have yet to do so. Plainly they need to review their options if maintaining staff sanity is a priority as audits and assessments ramp up.

Assessment Automation

Audits and assessments can be expensive and very time consuming. Thousands of artifacts to assemble and to match with control objectives, they require a complete project management infrastructure to manage properly to meet compliance dates, or for renewal of cyber risk insurance policies. Most of this is still conducted manually today despite better judgement by audit managers who see their workloads steadily increase year over year.

With a growing number and complexity of third, fourth, and fifth party vendors and suppliers to assess each year, auditors face an up hill challenge. Whether assessments are conducted by a dedicated hospital security and compliance team, or a recognized AICPA / BIG4 auditor like PwC, KPMG, Accenture, or Deloitte, incremental changes to manual labor intensive audit processes can never truly move the needle on costs and efficiency. That's why we need better automated audit tools that leverage AI to help drive efficiency, but ones that don't leverage complicated or proprietary frameworks. Its also important that many of the problems of AI based applications such as potential hallucinations are avoided by requiring use of HITL - especially in audit systems used to calculate and evaluate risk.

New Assessment Tools

Fortunately, new tools are beginning to emerge that support:

•  Automated evidence collection which maps to cross-framework controls

•  True contextual data evaluation that understands what submitted data means

•  AI validation that uploaded evidence meets each specific control

•  The full audit sign-off on the same platform that was used for readiness

•  AI enabled report generation – because who has time to write reports?

•  Full project management with task dependencies

•  SOC 2 AICPA standards for both readiness assessments and final audit

This new generation of tools simplifies and streamlines pre-assessment and audit activities. They reduce the amount of time needed for audits and assessments and streamline workflows while reducing cost and complexity. They are undoubtedly the future, but these improvements need to be paired with better visibility into what connects to medical networks and a focus upon third party vendors to provide a SOC 2 attestation or HITRUST certification of security controls. Only then will the growing morass of third party risks become more manageable for healthcare regulated entities. Only then will some semblance of normality, availability, and safety be restored to the patient community reliant upon their health services.

Read More

WHX Dubai

The digital healthcare evolution is leading to more and more highly innovative medical technology that helps to drive efficiency and patient outcomes. Machine Learning has hugely changed clinical decision support, while digital transcription applications are saving physicians hours of pajama time each week in record keeping (and at private hospitals helping them to get paid). AI has revolutionized medical imaging, allowing for lower patient radiation dosages to be used and AI recognition of cellular mass changes vastly improving early identification of cancer and other medical conditions.

BUT this technology also adds to and expands the cyber attack surface. A proliferation of AI based medical applications and a tsunami of medical and other IoT devices is making security almost unmanageable across our hospitals. And that is before you even consider the exponential growth of personal health sensors, interactive devices, and mHealth initiatives or the portalization of physician-patient secure messaging, appointment bookings and the secure posting of lab results. 

In 2026 you no longer need to make an appointment to see your primary care physician (PCP) to have him or her, share your latest test results. In many cases the data is posted long before the physicians office will ever call you to let you know the results, or to book an appointment with your PCP to walk you through them. Simply feed your lab results into Google or a growing host of AI medical assistants, and patients can receive instant medical advice - even if that advice deviates towards the mean, as all AI systems tend to do.

While this is a global healthcare concern, the Gulf is seeing perhaps one of the world's most accelerated and dramatic expansions and modernization of healthcare services with hundreds of new systems and applications connected to medical networks every week, and new hospitals and clinics sprouting up in almost every community. There is a revolution occurring here but neither governments or providers are prepared. 

The pace of technology adoption has outpaced the implementation of security tools and controls needed to protect that new technology from growing cyberattacks and data breaches. Some of this is plainly the result of the frenetic pace of adoption of new innovative tech and inadequate time or resources for security teams to keep up. But an increasing aspect of this "maturity gap" comes down to the out-of-date way in which technology and cybersecurity are perceived by executive healthcare leaders and government ministers. Rather than being seen as an integral part of the solution, an enabler of fantastic new medical services that will revolutionize patient care, they are seen as "a cost of doing business" or an "overhead" - a necessary evil to host these new AI systems and applications, and this is perhaps why the maturity gap exists between our adoption of new technologies and the security needed to safely deploy and use those technologies.

BUT the stakes are getting higher. What used to be the hospital security team defending against cyber attacks by simple criminal perpetrators out to steal and monetize PHI, has transformed into international terrorism and cyber extortion when hospitals are held to ransom - even though ransom payments are explicitly outlawed across an increasing number of countries for any critical national infrastructure (CNI) industry, many of which are owned and operated by national governments themselves. 

The intent of at least some of these attacks however is not to monetize a foothold, but to inflict damage and disruption on a population, or to exact retribution against that country's government for its support for Ukraine and its defense of its land and people. Ransom and other extortionary attacks are increasingly being used as part of Putin's grey or hybrid warfare against other countries. Many of these attacks unfortunately target hospital systems which are a soft target with high population impact. Just last week the conference heard, Polish hospitals and municipal water treatment systems were targeted in new cyber attacks, ostensibly conducted by Russian criminal groups, frequently used as proxies by the Kremlin to inflict maximum damage and disruption. Indeed, Russia's vast array of organized crime groups is allowed to operate with near impunity from prosecution in return for 'favors' to the government and a share of the spoils. The Kremlin is then able to claim 'plausible deniability' for criminal acts that it has ordered against other countries as part of its hybrid warfare campaigns.

While the odds were already stacked against hospital security defenders, the imbalance today is truly disproportionate. Whether highly organized and well funded mafia crime syndicates, or state funded, sponsored, and trained offensive cyber military units within the Russian GRU (Glavnoye Razvedyvatelnoye Upravlenie) - its military intelligence directorate; this is now a David versus Goliath problem. A well equipped army of thousands of professional attackers against a minuscule group of hospital security defenders. 

Hospitals typically have small generalist teams of cybersecurity personnel and often out-of-date technology tools with which to defend patients and health IT systems from attack. In fact medical providers are often forced to use out-of-date and end-of-life IT equipment because of inadequate IT investment and the difficulty of upgrading or replacing health IT systems that are in constant use. This is not just a security problem for providers, but chiefly a technology problem of out-of-date systems and applications many of which are rarely ever patched or updated.

This includes a huge and growing number of medical IoT devices that already make up 75% of connected IP assets across hospital networks. Many of these have a 15 or 20 year amortization schedule and many have underlying embedded operating systems based upon long out of support Microsoft operating systems, with a massive number of known and published exploits. While microsegmentation of these devices helps, many providers currently have little to no idea of what actually connects to hospital networks because of fragmented ownership, inadequate tools and poor visibility. Nor do they have an easy way to microsegment 'at-risk devices'. At the same time, providers are adding medical and other IoT systems to their networks each and every month, compounding existing problems. 

Providers of medical services therefore face a multi-dimensional threat scenario. A sprawling attack surface, out-of-date and end-of-life internal IT & IoT systems, inadequate visibility of their own networks, and highly capable and motivated adversaries that have them out-gunned and out-matched and every corner.

Plainly there is an increased need for national governments to become more actively involved in the cyber defense of CNIs, and especially healthcare providers, where attacks result in increased patient morbidity and mortality. Only governments have the resources and legal mandates to take on today's cyber perpetrators, and to do what it takes to defend their citizens from increasingly crippling hybrid warfare attacks from failing states. As of yet however, governments have by and large, chosen to play a low-key role in the direct defense of their CNIs for fear of escalation. As the number of citizens killed in hybrid cyber attacks slowly increases, so that approach will be likely be questioned.

These were just some of the topics of discussion at this years WHX Dubai conference where healthcare leaders from across the world gathered to put forward suggestions and recommendations for improving patient care, safety and outcomes through smart security.

Joining me on stage at this prestigious event were Professor Attila Hertelendy, Ph.D., Mike Fell,  Charles Aunger and Zekeriya Eskiocak to share their vast knowledge and experience.

Read More