Three Reasons Healthcare CISOs Can’t Ignore Vendor Compliance
CISOs must prioritize vendor compliance to protect their company and patients from risk and avoid reputational damage, expensive penalties, and other financial impacts.
The risk of a cyberattack against healthcare organizations is growing rapidly, with some 83 percent of health CISOs reporting an increased number of attacks in the past year.
While most consumers think attackers are after their personal healthcare data—diagnoses, treatments, and other private information—the truth is, most attackers couldn’t care less. Their ultimate goal is to inflict financial harm to the business by destroying or locking up critical data, or exploit financial data using ransomware. A cyberattack on a hospital, doctor’s office, or health plan can bring patient care and revenue inflow to a screeching halt.
Beyond their own IT landscape, healthcare CISOs must contend with the security posture of their vendors—everything from email service providers to customer service widgets to coding services. In fact, vendor compliance is now the biggest concern among healthcare CISOs, surpassing the loss of patient data and growing sophistication of cyberattacks.
This concern is well-founded. Most healthcare organizations rely on a multitude of vendors, and security risk is additive. The more vendors in the mix, the greater the risk of a cyberattack crippling the entire value chain.
For better or worse, plans and providers are ultimately responsible for not only their internal security compliance but that of all their vendors as well. A cybersecurity breach at any point in the ecosystem can directly impact the organization in three potentially devastating ways:
Reputation damage. Healthcare organizations are required to report any breach, which is published by the Health and Human Services’ Office for Civil Rights (OCR)—also known as the “Wall of Shame.” In fact, the number of reported breaches recently reached an all-time high, which gained considerable press coverage. Not only is this information available to the public (including potential patients), but healthcare providers and other entities monitor these reports as well. A breach involving a company’s vendors can severely impact its reputation.
Penalties. Under HIPAA, companies found in breach of the law can face substantial federal fines that range from $100 to $50,000 per violation or record. In some extreme cases, the OCR has even pursued criminal charges against offending organizations. These are serious risks to both a company’s bottom line, and potentially, the offender’s job security if the organization’s security measures (or that of its vendors) are found to be negligent.
Financial impact. In addition to penalties, cybersecurity breaches cost companies $45 billion dollars in 2018 alone. The average cost to recover from a breach is $3.86 million for companies that have been attacked, with the biggest impact in the form of downtime and lost business.
To avoid putting their healthcare organization at risk, healthcare CISOs must:
Establish vendor compliance requirements. While HIPAA is the most common compliance framework in the industry, it only covers patient privacy, not payment security or other protocols. In addition to HIPAA, consider requiring HITRUST certification, PCI-DSS to govern payment integrity, and SOC2 compliance for additional management and process controls, backups, and physical security.
Ensure that technology AND process constraints are included. All the technology in the world won’t help if an organization’s coding vendor allows its employees to work at the local Starbucks on an unsecured public network. Require prudent work practices and processes, including robust permissions and access controls.
Conduct routine audits. Demanding that vendors are compliant is futile if you don’t validate through frequent audits. Yes, this takes time and the right expertise to conduct this process efficiently. However, given the substantial risk to a company’s bottom line in the event of a breach, it may be worthwhile to invest in third-party assistance from an auditing firm. This not only ensures that audits are completed in a thorough, timely, and regular manner, but also provides third-party validation and liability in the event a breach does take place.
Relying on industry vendors to have security measures in place without verifying regularly against your own standards puts healthcare organizations at grave risk of a breach. While it may seem like a big investment of resources to audit and monitor vendor for compliance, the alternative expense of disaster recovery and breach impacts is a far bigger price to pay.
By working with vendors who can demonstrate compliance with third-party audit verification, healthcare organization CISOs can rest a little easier, knowing they’ve done all they can to protect their organization.