Third-Party Cyber Risk Impacts the Health Care Sector the Most. Here’s How to Prepare.

We all know by now that cyber risk is not just an "IT issue," but rather it is an enterprise risk issue. Cyberattacks represent a potential risk to every function in health care organizations, making them a serious threat to patient care and safety. Cyberattacks, such as high-impact ransomware attacks, disrupt or delay patient care. They not only present a risk to patients who are in the hospital, but also to the entire community. Community members depend on the availability of their local hospital and emergency department for urgent care, such as in heart attack, stroke and trauma cases. The bottom line is that when hospitals are attacked, lives are threatened.

Ransomware attacks also have disruptive cascading and wide-ranging effects throughout a region. The resulting "ransomware blast radius" may be felt by every hospital, clinic and emergency department in the entire region as ambulances and patients are diverted to other surrounding hospitals, sometimes for weeks on end. Emergency departments, clinics and cancer treatment centers may reach or exceed capacity — further disrupting or delaying care delivery on a regional basis and increasing the risk of patient harm.

Attacks on Third-Party Providers Can Be the Most Disruptive

The disruption to care delivery occurs not only when hospitals are attacked directly, but also when mission-critical and life-critical third-party providers to health care are attacked by ransomware. The loss of critical dependent third-party technology and services may be even more wide-ranging and disruptive to patient care than when hospitals are attacked directly. When UnitedHealth Group’s Change Healthcare was attacked by the Russian ransomware group ALPHV BlackCat this year, every hospital in the country was impacted in one way or another. It was the most significant and consequential cyberattack in the history of U.S. health care.

Hospitals depend on third-party providers such as business associates, medical device providers and supply chain vendors to deliver critical, life-saving functions and business functions that support clinical care — so when third parties get hit, so do hospitals and their patients, even though the hospital was not the direct target. Fifty-eight percent of the 77.3 million individuals affected by data breaches in 2023 were due to an attack on a health care business associate — a 287% increase compared to 2022.¹

In 2023, third-party data breaches pounded health care more than any other sector.² Why is that? Simply put, the "bad guys" — foreign ransomware groups, primarily Russian speaking — have mapped the health care sector and identified key strategic nodes to attack that would provide the most disruptive impact and access across the health care sector. These "strategic nodes" translate to ubiquitous third-party technology and service providers. The more widespread and critical the impact, the higher the ransom payment demand and the higher the likelihood that the victim will succumb to making the payment. Of course, the AHA strongly discourages the payment of ransom, but hospitals and health systems must make their own decisions based on their individual circumstances.

Another factor contributing to the shift to third-party ransomware attacks is that hospitals and health systems have become a harder target. As ransomware attacks against them spiked over the last several years, hospitals and health systems invested heavily in strengthening their defenses and enhanced their capabilities to respond and recover from these devastating attacks.

Bad Actors on a Roll With Hub and Spoke Strategy

Hospitals becoming collateral damage from an attack on a third party is part of cybercriminals' highly effective "hub and spoke" strategy. By gaining access to the hub (a third-party’s technology), they gain access to all the spokes — the health care organizations that are the customers of the third party. This provides malicious actors with a digital pathway to infecting multiple covered entities with malware or ransomware, or to extract data.

In other words, the bad guys have it figured out: Why hack or attack 1,000 hospitals when they can target the one common business associate and get all the data or disrupt all the hospitals that depend on that single mission-critical third-party provider?

Sound familiar? If we’ve learned anything from the widespread, long-lasting, debilitating impact of this spring’s cyberattack on Change Healthcare — UnitedHealth Group’s subsidiary — it’s that to sidestep the effects of the inevitable next health care cyberattack, hospitals need to prepare their business and clinical continuity procedures now for an extended loss of services.

And that begins with hospital executives and boards better understanding how to strengthen their third-party risk management program.

Four Strategies to Bolster Your Third-Party Risk Management (TPRM) Program

1. Take a hard and objective look at your existing TPRM program framework.

Review your program’s governance structure and determine whether it needs revamping. Confirm you have a complete, multi-disciplinary approach to create a dynamic inventory of all third-party vendors that have access to your systems. Then make sure that your TPRM program identifies, classifies and prioritizes the risks posed by these vendors as well as their subcontractors — drilling down to the level of fourth-party risk.  

2. Implement third-party, risk-based controls and cyber insurance requirements based on identified risk levels.

Assess and formalize your policies and processes for incorporating cybersecurity into third-party risk management. These should include conducting periodic in-depth technical, legal, policy and procedural reviews of the TPRM program and business associate agreement (BAA). The BAA should include cybersecurity and cyber insurance requirements for the vendor and subcontractors, which scale with the level of risk presented by each business associate. In addition, implement annual policy and procedure cyber risk assessments for vendors, as well as annual vulnerability and penetration testing assessments. 

3. Consistently and clearly communicate third-party risk management policies, procedures and requirements internally.

Every individual, department and business unit within your organization that purchases technology, services and supplies should be educated about your organizational cybersecurity requirements for third parties and the potential cybersecurity risks to the organization that is involved in work using third-party vendors. 

4. Prepare intensively for incident response and recovery.

• First and foremost, it is necessary on an ongoing basis to implement a process to identify all internal, as well as external, third-party and supply chain providers of life- and mission-critical functions, services and technology. It also is important to identify which organizations or other providers depend on your organization for essential services. Which health care providers depend upon the availability of your technology, services, networks and data? What is the contingency plan for these dependent organizations, should you be disconnected from the internet and go "digitally dark?" What impact will there be on your services if you are victim to a ransomware attack?
• Second, in case a cyberattack disables your functions, services and technology, or those of a third-party, ensure they are sufficiently backed up and prioritized for restoration on an enterprise level. Develop operational, business, and most importantly, clinical continuity plans and downtime procedures for each of the internal and external critical technology and services dependencies. Ideally, these procedures should be able to sustain a loss of that life- and mission-critical function without significant impact or degradation of quality, for up to four weeks or longer.
• Third, train staff to execute these plans proficiently. Conduct regular downtime drills and cyberattack exercises for a variety of scenarios at the individual, departmental and enterprise level, and invite your third-party vendors to participate.
• Last, but not least, incorporate your cyber incident response plan into the overall incident response plan, and integrate the business continuity plans and downtime procedures into the overall incident command and emergency preparedness functions.

For more details on TPRM best practices, see my earlier blog, "Third Party Cyber Risk is Your Cyber Risk. How to Understand, Mitigate and Prepare for Third Party Cyber Risk Exposure."

The FBI issued an advisory in November 2023 recommending organizations take certain steps to prevent ransomware actors from exploiting vulnerabilities in third-party and system management tools. Although health care is not specifically mentioned in this advisory, it serves as a good reminder that third-party tools, technology and services continue to be a major contributing factor in some of the largest data breaches and ransomware attacks impacting hospitals and health systems.

But Should Health Care Organizations Shoulder All the Cybersecurity Responsibility?

Currently, third-party suppliers’ technologies can be filled with technical vulnerabilities. Health care organizations must continually apply "patches" to secure those cyber vulnerabilities.

A large part of the solution to reducing cyber risk in health care, therefore, is to ensure that third-party providers produce more secure technology and software. The Cybersecurity & Infrastructure Security Agency’s Secure by Design initiative supports this principle, calling for “shifting the balance of cybersecurity risk” from end-users to the technology providers and software developers.

The AHA Is Here to Support Your Health Care Cybersecurity Efforts

There’s sure to be another sector-wide cyberattack, and as a hospital or health system leader or board trustee, you need to know how to prepare for the next one. Count on the AHA for help.

• As the AHA’s national advisor for cybersecurity and risk and a former FBI cyber executive, I provide a variety of cybersecurity offerings to advise and assist health care organizations like yours in mitigating the many cyber and physical risks you face.
• Plus, learn how the exclusive, highly vetted panel of service providers in our AHA Preferred Cybersecurity Provider (APCP) Program can help your organization prepare for, prevent and respond to today’s pressing cyberthreats.
• Visit the AHA's new Cybersecurity Support webpage to learn more about how the AHA’s cybersecurity provider partners, including Microsoft, Google, AON, Censinet, Critical Insight and Cylera, are providing dedicated resources and special offerings to help your organization meet the voluntary HHS Cybersecurity Performance Goals.

Other AHA Third-Party Risk Management Resources:

• Podcast: Part One: Cyberthreats and Assessing Third-Party Risk with Providence
• Podcast: Part Two: Cyberthreats and Assessing Third-Party Risk with Providence
• Interview with John Riggi: Cybersecurity Awareness is a Board Responsibility
• Podcast: Preparing for Cyberattacks with Northwell Health

¹ King, Suzanne. ”How ransomware attacks at Kansas City hospitals threaten your privacy and health,” Kansas City Beacon, January 25, 2024. https://kcbeacon.org/stories/2024/01/25/how-ransomware-attacks-at-kansas-city-hospitals-threaten-your-privacy 

² Alder, Steve. “Healthcare Experiences More Third-Party Data Breaches Than Any Other Sector,” HIPAA Journal, March 4, 2024. https://www.hipaajournal.com/healthcare-highest-third-party-breaches