{"id":593960,"date":"2023-01-04T09:51:49","date_gmt":"2023-01-04T15:51:49","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/01\/04\/healthcare-vendors-are-the-new-front-of-the-cybersecurity-war\/"},"modified":"2023-01-04T09:51:49","modified_gmt":"2023-01-04T15:51:49","slug":"healthcare-vendors-are-the-new-front-of-the-cybersecurity-war","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/01\/04\/healthcare-vendors-are-the-new-front-of-the-cybersecurity-war\/","title":{"rendered":"Healthcare vendors are the new front of the cybersecurity war"},"content":{"rendered":"
\n


\nSkip to main content
\n<\/a><\/p>\n

\n


\n<\/span><\/p>\n
\n
\n
\n

January 03, 2023 06:00 AM<\/span>
\n<\/span>\n<\/p>\n<\/div>\n

\n


\n\n\"Data\n<\/picture>\n<\/a>
\n<\/span>\n<\/p>\n<\/div>\n

\n
\n<\/p>\n

Cybercriminals seeking to seize sensitive health information are increasingly targeting vulnerable vendors to get around the safeguards healthcare providers, insurers and other entities have erected to protect patient data.<\/p>\n

As healthcare organizations <\/strong>more commonly\u00a0tap third-party vendors to handle business functions, cybersecurity experts warn they\u2019re creating opportunities for hackers. Data breaches of\u00a0vendors, which fall under the business associate category on the Health and Human Services Department\u2019s Office for Civil Rights breach portal, have grown in number and scale<\/a> over the past five years.<\/p>\n

Through November, there have been 116 reported breaches<\/a> on business associates that affected 17.7 million patients. These\u00a0accounted for 17.5% of healthcare breaches\u00a0but\u00a0<\/strong>36.1% of patients whose data were exposed\u00a0so far this year. Only 40 breaches hit business associates, involving 5.9 million patient\u2019s data, during the same period in 2018.<\/p>\n

Hackers view the data vendors possess as a \u201ctreasure trove,\u201d said Jeff Krull, a partner who leads the cybersecurity practice at\u00a0the consulting firm\u00a0Baker Tilly.<\/p>\n

Instead of breaching one organization\u2019s data, criminals can\u00a0obtain data<\/a> from multiple providers and health plans that\u00a0includes patient names, addresses, Social Security numbers, and treatment and prescription information. The cyberattack on printing and mailing service OneTouchPoint, detected in April, involved more than three dozen providers and insurers<\/a>, including Humana, Kaiser Permanente and several Blue Cross and Blue Shield companies, and affected more than 4 million patients\u2014making it the biggest healthcare <\/strong>attack reported this\u00a0year.<\/p>\n

\u201cIf a threat actor can identify that a vendor\u2019s working with 10 or 12 hospital systems and healthcare plans, that\u2019s going to make them a very high-value target,\u201d said Alexander Urbelis, a senior counsel at the law firm Crowell & Moring\u00a0who specializes in identifying cybersecurity threats.<\/p>\n

Why now?<\/strong><\/p>\n

Health systems are increasingly using vendors to achieve financial, operational and clinical efficiencies, especially amid the\u00a0workforce shortage, said John Riggi, the national advisor for cybersecurity and risk at the American Hospital Association.<\/p>\n

\u201cThey just may not have the human resources or the human capital\u00a0internally to affect certain business processes,\u201d Riggi said. Large health systems may rely on thousands of vendors for administrative services, including payroll and electronic health records, and for software that runs\u00a0medical devices<\/a>\u00a0such as X-ray machines and radiology equipment.<\/p>\n

Stressed supply chains and financial issues at hospitals, exacerbated by the COVID-19 pandemic, are driving\u00a0them to sign contracts with vendors. \u201cYou might be looking to outsource something you did in-house before to save some money,\u201d Krull said.<\/p>\n

These broader circumstances make it more difficult for healthcare organizations to invest in stronger security measures, Krull added. \u201cIt really creates this perfect storm,\u201d he said.<\/p>\n

While healthcare companies are strategically looking to contractors to improve business operations and clinical services, other vendor relationships are falling into their laps as health systems\u00a0expand. \u201cIf there is a merger or acquisition, you’re taking on not only that entity, but also all their relationships,\u201d Riggi said.<\/p>\n

Yet health systems may opt to hire vendors to carry out tasks such as patient testing even when they are aware the contractor lacks strong cybersecurity measures if they conclude\u00a0patient outcomes outweigh the risks, Krull said.<\/p>\n

Attacks involving insurers happen less frequently than those on providers. Because they don\u2019t have patients walking in and out doors, insurers can operate more as self-contained businesses <\/strong>and\u00a0tightly control who has access to\u00a0information, Krull said.<\/p>\n

<\/body>
\n<\/html><\/div>\n

\n<\/p>\n

Bolstering cybersecurity<\/strong><\/p>\n

Cyber risks are now top of mind for many health systems’ executives, Riggi said. Experts stress there’s more to be done as threat actors become more sophisticated.<\/p>\n

\u201cVendor oversight has become a really big thing in the past five years, in that before, health systems and health plans weren’t conducting appropriate due diligence on these [vendors], or maybe no due diligence at all,\u201d said Doriann Cain, a partner at law firm Faegre Drinker who works with healthcare clients on\u00a0cybersecurity practices.<\/p>\n

In addition to avoiding the hefty financial cost of data breaches, improving cybersecurity is important for patient care and brand reputation.<\/p>\n

Last December, payroll provider Ultimate Kronos Group revealed it fell victim to a ransomware attack, which caused a stir among the\u00a0many health systems that relied on it for employee scheduling. The disruption caused a cascading effect that delayed care\u00a0at numerous hospitals\u00a0during the COVID-19 omicron surge, Riggi said.<\/p>\n

Tightening cybersecurity and properly vetting vendors helps providers improve patient health outcomes, Riggi said. “This is about protecting patients. If you divert an ambulance or you delay cancer treatment, those effects potentially cause physical harm,\u201d he said.<\/p>\n

Reputational damage following a cyberattack typically tends to hurt the healthcare organization, not the vendor. But it\u2019s not always easy to change contractors.<\/p>\n

\u201cSome of those vendors almost have a monopoly in terms of the services they’re providing, so you see healthcare providers not stuck with them, but maybe not always able to utilize another vendor who may be performing these services that they expect and want to see,\u201d Cain said.<\/p>\n

Health system and health insurance company\u00a0leaders must assess a vendor\u2019s cybersecurity controls before trusting it with patient data. Cataloging third-party relationships across a health system\u00a0is the first step they\u00a0should take, Riggi said.<\/p>\n

Healthcare companies considering vendors should investigate several key factors to determine if their would-be partners can protect patient data, such as requesting information about their cybersecurity measures, ensuring the vendors’ security controls are certified by third parties, and insisting contractors undergo security audits such as\u00a0Systems and Organization Controls 2 (SOC 2), the experts Modern Healthcare interviewed said.\u00a0<\/p>\n

Tim Broderick contributed to this story.<\/em><\/p>\n

<\/body>
\n<\/html><\/div>\n<\/div>\n<\/div>\n<\/div>\n

<\/main><\/p>\n<\/div>\n<\/div>\n

Read More<\/a>
\n Lauren Berryman<\/p>\n","protected":false},"excerpt":{"rendered":"

Skip to main content January 03, 2023 06:00 AM Cybercriminals seeking to seize sensitive health information are increasingly targeting vulnerable vendors to get around the safeguards healthcare providers, insurers and other entities have erected to protect patient data. As healthcare organizations more commonly\u00a0tap third-party vendors to handle business functions, cybersecurity experts warn they\u2019re creating opportunities<\/p>\n","protected":false},"author":1,"featured_media":593961,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[82,44880],"tags":[],"class_list":{"0":"post-593960","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-healthcare","8":"category-vendors"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/593960","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=593960"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/593960\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/593961"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=593960"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=593960"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=593960"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}