Third-Party, Cyber-Risk Skyrockets for Health Systems. A hacker in a black hoodie that leaves his face in shadow sits in a room lit by red lights and works on a laptop to break into a health system's computer network.

Third-Party, Cyber-Risk Skyrockets for Health Systems

Third-Party, Cyber-Risk Skyrockets for Health Systems. A hacker in a black hoodie that leaves his face in shadow sits in a room lit by red lights and works on a laptop to break into a health system's computer network.

Third-party cyberattacks pose one of the biggest challenges on the health care cyber-risk landscape. Hospitals and health systems are at increasing risk of cyberattacks on third parties — such as business associates, medical device providers and supply chain vendors. Third-party breaches occur when sensitive data are stolen from a third-party vendor or when their systems are used to access and steal sensitive information stored on your systems.

Fifty-five percent of health care organizations surveyed experienced a third-party data breach in the last year, and seven of the top 10 health care data breaches reported so far this year involved third-party vendors. The biggest breach – which affected more than 30 health care providers and health insurance carriers and 2.6 million patients – involved OneTouchPoint, a third-party mailing and printing vendor.

These threats underscore the urgent need for a robust third-party, risk-management program (TPRM) that enables you to identify, assess and mitigate cyber-risk exposures from strategic as well as tactical perspectives. At the same time, a comprehensive approach to managing risk must also encompass detailed preparations for responding to any incidents that do occur to assess impact, minimize downtime, support business continuity and ensure patient safety.

John Riggi, AHA’s national adviser for cybersecurity and risk, posted a blog this month presenting the following key strategies to bolster your defenses and strengthen your response capabilities:

  1. Take a critical and objective look at your existing TPRM program framework.
  2. Implement third-party, risk-based controls and cyber-insurance requirements based on identified risk levels.
  3. Consistently and clearly communicate third-party, risk-management policies, procedures and requirements internally.
  4. Prepare intensively for incident response and recovery.

To learn more about how the AHA can help you strategically manage your third- and fourth-party cyber-risk, and protect your patients by minimizing the downtime impact if cyberattacks should occur, read Riggi’s blog on reducing third-party cyber-risks, visit aha.org/cybersecurity or email him at jriggi@aha.org.

AHA Center for Health Innovation logo

Related Resources

Testimony
AHA House Statement on “Fiscal Year 2025 Department of Health and Human Services Budget”
Public
Testimony
AHA Testimony for Energy and Commerce Subcommittee Hearing on Cybersecurity
AHA Center for Health Innovation Market Scan
Closing the Loop on Patient Feedback: Lessons from CVS Health
Public
AHA Center for Health Innovation Market Scan
UPMC’s App to Lower Post-Surgery Readmission Rates Is a Pip
Public
Other Resources
Less Invasive Treatment Gets to the Heart of the Matter
AHA Center for Health Innovation Market Scan
Providers Betting Big on Future of Hospital at Home