How The Gartner Group has identified digital supply chain risk as a new security threat and one of 2022's top seven security and risk management trends. According to Peter Firstbrook, research vice president at Gartner, "unsung core components" holding up companies' digital operations are becoming more common in the digital supply chain. Read along to learn how healthcare can avoid devastating supply chain cyber attacks.
While these organizations take protective measures, their cybersecurity is not just their concern. Therefore, an organization that uses a vendor's services must also be concerned about the vendor's cyber defenses to avoid supply chain cyber attacks.
Threat actors want access to critical data such as protected health information (PHI), a prime target for cybercriminals. Notably, they've learned how to use vendors as a door into your organization. As ransomware and cyber attacks increase, make sure that you include vendor risk assessments in your IT playbook.
Read more in today's blog. SEE ALSO: HIPAA compliant email
Why do cyber-attackers strike supply chains and how can you ensure your vendors follow cybersecurity best practices?
A supply chain attack, also called a third-party attack, is a strike on one organization that performs tasks for others. And given the fact that vendors perform many services, supply chain attacks can occur through a variety of breach methods.
As with all cyber incidences, a breach can involve hardware or software. Hackers know how to use employees (i.e., human error) to gain entrance accidentally or intentionally through those means. They can even find their way into an organization through unpatched or legacy systems. The difference is that a supply chain attack targets a single vendor to gain access to several organizations at once.
There have been several recent instances of supply chain attacks, but a prime example is 2020’s SolarWinds attack. This cyberattack was just one of several breaches by a Russian threat actor against the U.S. government. The hackers accessed the system and then dropped and executed malware, compromising SolarWinds’ system through unpatched software. More than likely, it was its Microsoft Office 365 account.
The aftermath of the cyberattacks saw dozens of government-based networks compromised. Consequently, the government and other organizations raised immediate concerns about safe vendor cybersecurity practices.
Unfortunately, supply chain attacks continue today. In the first quarter of 2021 alone, 137 organizations reported supply chain attacks through 27 different vendors. Moreover, supply chain attacks rose 42% from the previous quarter.
By 2025, Gartner predicts that 45% of organizations will have experienced a vendor cyberattack, three times more than in 2021.
The SolarWinds attack exposed the data of 18,000 customers and as many as 250 organizations suffered further targeted attacks. On average, the breach cost organizations $12 million; other costs are still being tallied. And as we know, cyberattacks are costly and risky.
The first, most immediate cost is what happens to the data involved in the breach. Cyberattackers typically steal, sabotage, misuse, hold data for ransom, or use it for espionage. It is also possible for threat actors to encrypt data to keep it unusable. And of course, inaccessible data will lead to operational failures and costs. As a result, such downtime could even lead to a life-or-death situations for critical infrastructure (e.g., healthcare),
Then there are other associated issues/expenses: ransom payments, compliance violation fines, mitigation costs, and even possible future breaches. Moreover, a breach could also mean a deteriorating reputation. All of which an organization could avoid if it vets its vendors first.
An organization must partner with vendors who utilize comparable cybersecurity measures. Therefore, before an organization works with a new vendor, it must evaluate that business and its cybersecurity processes. This evaluation process is called a vendor risk assessment. Organizations use it to identify potential risks and complications.
Furthermore, a risk assessment evaluates the potential impact of a breach on your organization. A recent Mastercard RiskRecon and Cyentia Institute survey of risk management professionals examines the state of third-party risk management. The study found that 79% of organizations have a formal evaluation program in place. Most common evaluation methods are questionnaires and documentation reviews. Other utilized methods include remote assessments, cybersecurity ratings, and onsite security evaluations.
A vendor risk assessment is a preventative rather than defensive approach because understanding risks early is critical to blocking them. It assesses who you should work with and what information they should be able to access. It provides accountability and visibility; any vendor who doesn’t like the idea should not be someone you work with.
To understand what to focus on in a vendor risk assessment, it is necessary to see what concerns your organization. And what other vendors you work with utilize as well.
Additionally, it is important to evaluate your vendors consistently to avoid errors and bias. A NIST (National Institute of Standards and Technology) guide, “Best Practices in Cyber Supply Chain Risk Management,” includes questions that organizations should ask their vendors.
Topics to focus on include:
Hardware |
Software |
Mitigation practices |
Staying current on vulnerabilities |
Employee training |
Monitoring controls |
Access controls (employees) |
Testing |
Malware protection |
Malware detection |
Physical security |
Technological security |
Data disposal |
Access controls (customers) |
Background checks |
Expectations for suppliers |
Distribution processes |
Storage facilities |
Patching and legacy systems |
Product lifecycle processes |
Backdoor access |
A vendor risk assessment can be in-person or remote. Some type of evaluation still needs to occur if a thorough assessment is impossible. The exact method and inquiries just depend on the organization, its capabilities, and its needs. But doing some type of vendor risk assessment ensures proper due diligence, monitoring, and vendor cybersecurity best practices.
Once evaluated, organizations should catalog and rank possible vendors depending on their risk levels. Is it worth it to get into business with the supplier? And if yes, what type of information should you share?
In fact, the next steps should be about following an already created, third-party risk management plan. Therefore, such a plan focuses on identifying and reducing vendor risks.
Organizations must:
Your risk management pan need to offer additional protections and mitigative techniques in case a breach does happen. And of course, such a plan would need a follow up as well as a repeat. Vendors must meet your security standards at all times.
Should healthcare vendors be vetted? The answer is a resounding yes.
Under HIPAA (the Health Insurance Portability and Accountability Act of 1996), vendors are called business associates. Healthcare vendors that store, transmit, or have access to PHI have an obligation under HIPAA to establish reasonable safeguards.
The HIPAA Privacy Rule allows covered entities to share PHI with business associates as long as certain provisions are in place. This includes a signed business associate agreement (BAA) that safeguards a covered entity and demonstrates the vendor’s HIPAA compliance. And this also includes a HIPAA risk assessment, which will identify, assess, evaluate, monitor, and reduce risk.
Moreover, it will help a healthcare organization know how to mitigate after an unsecured PHI breach. As a vendor, Paubox, Inc. provides HIPAA compliant email to healthcare organizations, keeping communication encrypted, safe, and secure at all times.
Paubox offers to sign a BAA to ensure HIPAA compliance and peace of mind. We also understand how important it is to assess who you share information with. Paubox will always work with you to ensure you and your patients remain safeguarded at all times.