Healthcare organizations are coming to realize just how much they rely on the smooth functioning of third-parties, such as EMR software vendors and others, and that’s making them give the security and reliability involved in such arrangements a second and third look.
Threat actors are well aware of this, according to Ryan Witt, Managing Director of Healthcare with Proofpoint. “They’ve done a significant amount of social engineering to try to understand the relationship between the third party and the health system. They’re very adept at crafting compelling communications that make users want to interact,” he said during a recent webinar.
The stakes have been raised significantly, which means IT and security leaders need to step up their game when it comes to vetting vendors and assessing risks. And that means trusting no one (until it has been earned) and questioning everything, noted CISOs Shefali Mookencherry and Teresa Tonthat, who also participated in the discussion.
“You need to question why a new vendor or new system is needed,” said Mookencherry, who has been with Edward-Elmhurst Health since late 2020. Leaders also need to know what security controls a prospective vendor has in place, and “how that syncs up with your own controls and workflows.”
A “jigsaw puzzle”
The first step is understanding the risks posed by third-party engagement. Unfortunately, it’s not as cut-and-dry as one might think, she noted. “There’s definitely a gray area. You might think you’re only contracted with a vendor, but what if there’s offshoring or outsourcing? You have to really look at all that as part of your risk.” An assessment should delve beyond cybersecurity to include “any type of risk that can disrupt the organization’s ability to provide operations for healthcare or to provide care for patients.”
The challenge is that threat actors keep finding new ways to penetrate systems, according to Tonthat, who holds the CISO role at Texas Children’s. “They’re getting more sophisticated. Instead of spoofing a CFO’s email or accounts payable, they’re hacking in into these smaller third-party vendor accounts.”
And they’re doing it in ways that are almost undetectable, added Witt. “They latch onto a previous conversation or spin up a new one in a way that’s a natural extension of the dialogue you’ve previously had with that individual.” Whereas in the past, emails containing malicious links often came from outsides, now threat actors are “essentially befriending” targets and establishing a rapport, he noted. “They’re very patient. They’ll ask for pieces of information that seem innocuous, but over time, they’re piecing together a jigsaw puzzle.” By consistently feeding little bits of information, victims are unwittingly providing a blueprint to penetrate the network or intercept payments.
“We’re trained to look for external emails and make sure email domains aren’t being spoofed,” said Tonthat. “But when the actual correct email is being compromised because the bad guys are in the third-party environment, it is very difficult to ascertain when that happens.”
And often, by the time a breach has been discovered, the damage has already been done. When the third-party vendor Texas Children’s had contracted for timekeeping services was hacked, that app was down for 74 days. And although the organization did have a business continuity plan in place, it wasn’t intended to cover such a long period of time.
“It’s so important to not only invest in your cybersecurity program and do the right thing with contracts and risk management, but to also realize our reliance on digital technologies — and what it means when they’re not available,” she said. “There’s no 100-percent available technology. We have to prepare because it’s our job to keep our organization resilient and make sure we can provide care and run operations for our workforce.”
Best practices for risk mitigation
Not an easy task, of course. But there are critical steps organizations can take to better protect data — and patients.
- Always verify. One of the policies at Texas Children’s is to verify any request that deviates even slightly from the norm, said Tonthat, who said the best course is to pick up the phone and call the person. “We used to say, ‘all it takes is one click,’” she said. In reality, however, “all it takes is one person going outside of the normal approved business process to make a change to banking or routing information. It’s so important that you stick to your processes and just continue to educate around email compromise.”
- Slow down the funnel. For Tonthat’s team, the risk mitigation process starts with a business engagement meeting in which operational leaders present problems that can be addressed by digital technology. Before anything is implemented, however, discussions must take place focusing on architecture controls and security standards, she noted. “It helps slow down the funnel.”
- Ask the right questions. Another important aspect of third-party risk assessments is evaluating each vendor’s business continuity plan, and deciphering whether it aligns with the organization’s plan, according to Mookencherry. It’s asking questions like, “are there synergies? Are you able to sync up? If your vendor is in the cloud and there is a DDoS attack, what do you do? How do you get notified? Who’s responsible for securing it in the cloud?” Tonthat concurred, noting that Texas Children’s is digging deeper when it comes to assessing cloud providers, and will continue to do so.
- Know the chain of command. Inevitably, something will go wrong; therefore, it’s vital that team members know who to call when the system is down, Mookencherry said. “There’s a change control procedure that should be in place at all organizations to know the chain of command.” This includes how to set up the command center, who can enter the room, and the role that the helpdesk plays. On the flip side, “if the vendor knows that they’re down, how are you as an organization going to receive that communication from the vendor? It has to work both ways.”
- Accountability matters. Simply investing in security programs isn’t enough, no matter how much is spent, said Tonthat. “It doesn’t mean you won’t fall victim to an attack. As customers of third parties, we recognize that we need to have tight terms and conditions in our contracts,” she added. “Just because we find a partner to enable a business or clinical function, it doesn’t mean that we are washing our hands clean of accountability.”
- Look at vendors with new eyes. Even vendors with whom an organization has already worked must go through the same level of rigor when pitching a new solution, said Mookencherry. “Trust isn’t something we do easily. Even if we have multiple products from a vendor, we start an entirely new security assessment,” she noted. The reason? Another product may not follow the same data workflows or security controls. “It’s important that vendors understand this.”
Similarly, CISOs must feel empowered to turn down new vendors, especially if an assessment comes back with high or critical risks that can’t be mitigated. “We will say no to vendors now,” Mookencherry noted.
It’s a critical step in the right direction, according to the panelists, who also cited an increased willingness among leaders from other areas to collaborate on security strategies. Whereas traditionally, operational leaders were more likely to “stay in their lanes,” the conversation has become more transparent, said Tonthat. “We’re able to communicate how complex it is and make them digital experts so that they truly understand how impactful it will be when any of their technologies go down.”
Conveying that point is no simple feat, according to Witt, especially for organizations that haven’t experienced a breach, and therefore may not realize how damaging they can be. His recommendation? For leaders to read and pass around the NY Times article detailing the 2020 cyberattack at University of Vermont Medical Center that resulted in five weeks of downtime. The tremendous hit to the organization’s bottom line and reputation took a distant second to interruptions in patient care, particularly for those seeking cancer treatment.
“If this were to happen to your environment, it cuts to the core of the mission and the important role you play in the community,” he noted. “If you can’t provide those services because you can’t access the system, that’s a huge impact.”
Tonthat agreed, adding it’s important for leaders to leverage any opportunity — even a breach at a local health system — to increase awareness. “Don’t waste a good crisis,” she advised. “Take advantage of it to move your program forward.”
To view the archive of this webinar — Strategies for Mitigating Third-Party Securing Risk (Sponsored by Proofpoint) — please click here.