What Happens When You’re Not the Target?

Third-Party Risk Management

The cyberattacks on Change Healthcare in February 2024 and Ascension Health in May 2024 emphasize the critical importance of robust third-party risk management in the healthcare industry. These incidents disrupted essential services and compromised sensitive patient data, highlighting vulnerabilities that can arise through external partnerships.

With so many healthcare organizations and facilities in Birmingham, Auburn, Montgomery, Dothan and throughout Alabama, we felt this was great information to share. In order to better prepare for an attack on one of your key business partners, consider implementing the following strategies as part of your ongoing risk management activities:

1. Conduct Thorough Vendor Risk Assessments: Regularly evaluate your vendors' security measures to ensure they align with industry standards and best practices. This includes reviewing their data protection protocols, compliance with regulations like HIPAA, and their incident response plans. Understanding your vendors' security postures helps identify potential weaknesses that could impact your organization.

2. Strengthen Contractual Agreements: Incorporate specific cybersecurity requirements into your contracts with vendors. Mandate practices such as data encryption, multi-factor authentication, and regular security audits. Clearly define each party's responsibilities in the event of a cyber incident, including notification timelines and remediation efforts. This ensures that all parties are prepared to respond effectively to potential threats.

3. Implement Continuous Monitoring and Foster Collaboration: Establish ongoing monitoring of your vendors to detect any changes in their security posture. Utilize real-time insights and threat intelligence to stay informed about emerging risks. Maintain open communication channels with your vendors to collaboratively address vulnerabilities and ensure swift action when issues arise.

If a vendor cannot demonstrate adequate risk management capabilities, consider the following steps:

• Reevaluate the Partnership: Assess the criticality of the vendor's services and explore alternative providers with stronger security practices if necessary.
• Implement Compensating Controls: If replacing the vendor isn't feasible, introduce additional security measures within your organization to mitigate the identified risks.
• Engage in Vendor Improvement Plans: Work with the vendor to develop and enforce a remediation plan aimed at enhancing their security posture within a specified timeframe.

To enhance preparedness for potential disruptions caused by third-party cyber incidents:

• Develop Comprehensive Incident Response Plans with Organizational Buy-In: Create and regularly update response strategies that include protocols for third-party breaches. Ensure that these plans are developed with input from all departments and have the full support of organizational leadership. This collective involvement fosters a culture of security awareness and readiness.
• Define Clear Roles and Responsibilities: Establish and document specific roles and responsibilities for team members during a cyber incident. This clarity ensures a coordinated and efficient response, minimizing confusion and delays during critical moments.
• Establish Backup Processes: Maintain manual or alternative procedures for critical operations, such as patient care activities, to ensure continuity during system downtimes.
• Conduct Regular Training and Simulations: Train your staff on emergency protocols and conduct simulations of third-party cyberattack scenarios to ensure readiness and effective response during actual incidents.

By adopting these strategies, you can strengthen your defenses against third-party cybersecurity risks, ensuring the protection of sensitive patient data and the continuity of essential healthcare services.