There has been a surge in cyber attacks in the healthcare industry. Ransomware attacks have increased across all sectors, but healthcare industry is particularly vulnerable to such attacks. Getting locked out of systems while handling critical patient data or operational data could mean that the whole organization comes to a halt. In critical care situations, the results can be devastating and life threatening. Even in non-critical health care, the impact of being locked out of the system means patients cannot get the care they need, prolonging their illness and financial strain along with other impacts. This is true for any kind of cyber attack and not just ransomware.
Many healthcare organizations have started taking steps towards securing their IT infrastructure against malicious attacks. They now implement cyber security solutions to secure their physical end points and the network that connects to the internet. However, there is still one major source of cyber threat that usually escapes from their scrutiny and that is ‘their vendors’. The vendors, who connect with the organization network, usually escape the rigid cyber scrutiny that is required. A weak cyber security in vendor’s infrastructure can put the whole of IT infrastructure of the organization at risk.
Why is there a risk?
Organizations share sensitive data with their vendors. These vendors, depending upon the nature of their service, may share that data with their own vendors or partners. These third parties connect to the IT infrastructure of the healthcare institution. Be it various providers like CRM solution, insurance, medical equipment and medical supplies or government and regulatory agencies, the institutions connect across multiple industries and many of them are private organizations. Many times, these private organizations do not share the information of any data breach incident at their end as they foresee a negative impact on their business. The organization never comes to know that a vendor has been compromised and in turn, they too may be compromised. The risk is even higher in case of fourth party (vendor’s vendor) breach. It is almost certain that organizations will never know about fourth party breach.
What is the risk?
The risks associated with the vendors are pretty much the same that the organization itself may face. However, since they are beyond direct control, they need to be assessed and mitigated specifically. Some of these risks include:
- Outdated endpoints: To save on costs vendors may be working with laptops, tablets or computers that are old and outdated. They may also be using an outdated, unsupported operating systems (such as Windows XP). Outdated systems and unsupported operating systems are usually easy targets for an attack (As recently proven by attack on Windows XP users). Apart from cyber attacks, these end points are also susceptible to data theft. This makes the organization vulnerable to various kinds of cyber risks.
- Outdated medical devices: Medical devices are not at the top of our mind when it comes to evaluating cyber security. However, today many of the devices are computerized and connected to the network for fast sharing of information. Since they are quite costly and not perceived as a threat, organizations rarely upgrade their devices until compelled to do so. These outdated devices can be an easy target for newer threats that exploit the weakness in old software. A malicious piece of code can create havoc with machine’s readings and patient’s diagnosis.
- Ransomware: This is one the most dangerous kind of risks for a healthcare provider. Getting locked out of all the patient’s symptoms, past diagnosis and treatment can put the life of patients at risk. Due to such huge risks, hospitals tend to give in to ransom demands to get access to their systems quickly. Therefore, they are a favorite with cyber criminals. The ransomware malware can flow hidden in the data stream coming from the vendor.
- Loss of reputation: Patients and people, in general, tend to stay away from the organizations that are hacked. No one wants to share their information with an organization that cannot keep it safe. This translates into a loss of reputation, loss of business and potential legal complications.
Healthcare organizations may not be able to control the IT infrastructure of their vendors directly. However, they can and should build the mitigating clauses into their contract to ensure that every bit of data flowing to and from the vendor is clean and safe. They should implement the gateway security to ensure that all data coming in from the vendor is scanned for any malicious code that may have sneaked into the data stream and should be blocked immediately.