Sep 16
2024
How to Reduce Cyber Risk in Healthcare Organizations
By David Sampson, VP of Cyber Risk & Strategy, Thrive.
In February, hackers took Change Healthcare offline in one of the most high-profile and wide-reaching cyberattacks to date. Change Healthcare serves hundreds of thousands of providers in the U.S. and processes billions of transactions every year. With Change Healthcare’s systems compromised, cash stopped flowing for hospitals and physician offices everywhere. Providers couldn’t submit new claims, pharmacies couldn’t charge appropriately for prescriptions, and prior authorizations couldn’t go through for critical procedures.
Even after Change Healthcare’s parent entity, UnitedHealth Group, paid a $22 million ransom to the group behind the attack, there’s still risk that sensitive patient data could be leaked online. More importantly, the healthcare industry saw how a cyberattack on a third-party vendor could directly interfere with patient care.
Unfortunately, cyberattacks on the healthcare industry are growing – and, like the Change Healthcare attack, can wreak havoc on everyday operations and impact patient safety. However, if hospitals take the right precautions, they can mitigate these risks and better protect themselves from hackers, ransoms, and disruptions to business.
The Importance of Evaluating Third-party Vendor Risk
Healthcare organizations often rely on third-party vendors for various services. Delivering high-quality patient care is complicated in and of itself. Building an ecosystem that includes services and solutions like telemedicine, wearables, digital electronic medical records (EMRs), patient-centered mobile apps, and other cutting-edge innovations is impossible for smaller healthcare providers.
Many times, the best way to extend the range of services offered is to work with third-party vendors. The problem is this outsourcing expands the surface area of attack for cyber criminals. Every third-party vendor relationship comes with a new IT integration and potential entry point for hackers. In other words, more third-party vendors means increased organizational risk.
Healthcare leaders must recognize this tradeoff and think intentionally about how best to strike the balance between healthcare excellence and IT integrity. Before onboarding a new vendor, providers must conduct thorough audits, identify all vulnerabilities, and work constantly to ensure systems are integrated in a safe, secure, and resilient fashion. This is not a point-in-time exercise, but one that both healthcare providers and vendors have to engage in regularly to keep intruders away from sensitive patient data.