Cart

Your cart is empty
Mitigating Third-Party Risks in Healthcare: Protecting Patient Care and Data

Mitigating Third-Party Risks in Healthcare: Protecting Patient Care and Data

In the modern healthcare landscape, a large portion of critical services, from scheduling and billing to electronic health records (EHRs), radiology systems, and other essential clinical tools, are powered by third-party vendors. These vendors play an indispensable role in delivering the technology that supports healthcare operations. However, this reliance also introduces significant risks, particularly when it comes to cybersecurity threats that can disrupt operations and jeopardize patient care. The impact of a cyberattack or system failure on a third-party vendor can be far-reaching, and healthcare organizations must prioritize securing their third-party relationships to mitigate the potential for harm.

The healthcare sector has become a prime target for cybercriminals due to its repositories of sensitive data and the critical need to restore patient care operations quickly. With a reliance on interconnected systems, cyber risks can affect all aspects of healthcare delivery, making cybersecurity a critical issue that transcends compliance regulations like HIPAA. To ensure continuity of care, healthcare organizations must approach cybersecurity in a more comprehensive and proactive way, particularly when dealing with third-party vendors.

The Risks of Third-Party Vendor Dependency

The connection between healthcare providers and third-party vendors is critical but also fraught with risk. Several high-profile incidents have highlighted the vulnerabilities associated with third-party relationships in healthcare. For example:

  • Change Healthcare Attack (2024): One of the most significant cybersecurity breaches in recent history occurred when Change Healthcare, a widely used pharmacy system provider, was attacked. This breach compromised the data of 100 million individuals and disrupted systems related to electronic prescribing, claims submission, and payments, which had a profound effect on care providers. The Office of Civil Rights (OCR) described this incident as having an “unprecedented impact on patient care and privacy,” emphasizing the far-reaching consequences of such attacks.
  • CrowdStrike Software Update Failure (2024): A fault in a software update issued by CrowdStrike, a security vendor, caused widespread outages across multiple industries, including healthcare. While this was not a healthcare-specific attack, it demonstrated how failures in third-party services can impact healthcare organizations, resulting in delays and potential disruptions to patient care.
  • Target Breach (2013): In a much older but still relevant example, the Target breach occurred when attackers exploited a vulnerability in an HVAC service provider’s systems to gain access to Target’s internal financial database repositories. This breach illustrates how attackers can use third-party access points to infiltrate other organizations, including healthcare providers.

 

These incidents highlight the critical need for healthcare organizations to carefully evaluate and manage third-party risks. In 2023, the Verizon Cybersecurity Report found that 74% of cybersecurity issues or instances of unauthorized access in healthcare were linked to third-party vendors. This data underscores the scale of the threat and the urgent need for healthcare organizations to adopt a more robust approach to vendor risk management.

Cybersecurity as a Mission-Critical Concern

Cybersecurity needs to be viewed as more than a compliance exercise—that is, it’s not “just a HIPAA issue," as the thinking sometimes goes. Instead, it needs to be treated as a mission-critical concern.

In many cases, a cyberattack or system failure—even one that only directly targets a third-party vendor—can disrupt core healthcare functions, such as accessing patient data, scheduling appointments, and conducting medical procedures. When a critical system goes down or is compromised, healthcare providers may be unable to deliver timely care, communicate with other providers, or even access essential patient records. This disruption can result in delays, errors, and, in some cases, harm to patients. It’s essential for healthcare organizations to view these risks holistically, considering the wide-reaching implications for patient care, privacy, and safety.

ECRI Recommendations for Healthcare Organizations

To address the cybersecurity risks associated with third-party vendors, ECRI offers a series of recommendations for healthcare organizations to strengthen their cybersecurity posture and mitigate the potential impacts of third-party vulnerabilities.

  1. Conduct Thorough Vendor Risk Reviews: Before entering into a contractual relationship with a third-party vendor, healthcare organizations should conduct comprehensive risk assessments. This includes evaluating the vendor’s cybersecurity measures, data protection practices, and history of breaches or vulnerabilities. Support from senior leadership is crucial to ensure that cybersecurity reviews are robust and integrated into the vendor selection process.
  2. Build Redundancy into Critical Systems: Healthcare organizations should assess their critical systems for potential points of failure and identify any single points of failure that could disrupt care. Once these gaps are identified, organizations should develop and implement redundancy plans to ensure continuity of care in the event of an outage or cyberattack. This could include backup systems, data recovery plans, and alternative communication channels to ensure that patient care can continue smoothly.
  3. Test Incident Response Plans: It is essential for healthcare providers to regularly test their incident response plans, especially for critical systems that rely on third-party vendors. These tests should simulate real-world scenarios where systems go down or data is compromised, allowing healthcare organizations to assess their preparedness. Incident response testing should include input from both IT and security teams, as well as clinical care units, to ensure that all departments are prepared to respond effectively.
  4. Develop and Test Recovery Procedures: In addition to incident response, healthcare organizations must have clear recovery procedures in place to restore normal operations as quickly as possible after an attack or system failure. Recovery plans should be tested regularly as part of incident response exercises to ensure that they are effective and that any gaps in the process are identified and addressed.

A Call to Action for Policymakers

While healthcare organizations must take proactive steps to address third-party cybersecurity risks, policymakers also have an important role to play in ensuring the sector is prepared to mitigate these challenges.

  1. Adjust from a “Sanctions-Based” to a “Solutions-Based” Culture: Currently, healthcare organizations may hesitate to report cybersecurity incidents for fear of facing penalties or fines or being subjected to lawsuits. This "punish but not protect" mentality can prevent organizations from fully addressing vulnerabilities and learning from breaches. Policymakers should encourage a more protective approach, where healthcare organizations are supported in improving their cybersecurity practices rather than being penalized for past mistakes.
  2. Foster a Collective Approach to Cybercrime and Vendor Risk: Cybercrime is a collective issue that impacts the entire healthcare sector. While individual healthcare organizations may have limited resources for strengthening their defenses, a collective approach—where resources are shared, and best practices are established—can help raise the overall level of protection across the industry. Policymakers should facilitate collaboration among healthcare providers, vendors, and cybersecurity experts to better prepare for and mitigate risks.

Conclusion

As healthcare becomes increasingly dependent on third-party vendors, the risks associated with cybersecurity breaches and system failures cannot be ignored. Healthcare organizations must take proactive steps to assess and manage third-party risks, build redundancy into their systems, and develop robust incident response and recovery plans. Additionally, policymakers should support a culture of protection and collaboration to address the evolving cyber threats facing the healthcare sector. By taking these steps, we can ensure that patient care is not compromised by cyber threats and that healthcare providers are better equipped to navigate the complex landscape of third-party dependencies.