Securing ePHI in the Age of Digital Health Tools is a three-part blog series that explores how healthcare providers can protect PHI and mitigate healthcare data security risks associated with patient engagement technologies by implementing the right security protocols. Read parts two and three now.
Supply chain attacks are a formidable and growing threat in the healthcare industry. Much like supply chains in other industries, a healthcare supply chain involves a complex network of interconnected organizations and providers that deliver healthcare products and services to patients. An obvious component of this supply chain would be the manufacturers of medicines or medical equipment. But as vital players in care delivery, patient engagement vendors are also part of the healthcare supply chain and the fact that they are public-facing brings its own unique risks.
In a supply chain attack, bad actors can disrupt this delicate ecosystem by attacking any element of the supply chain. In today’s complex digital landscape, there is no need to try and bypass a healthcare organization’s main cybersecurity measures to gain access to their source systems. Instead, cybercriminals can access patient data through security flaws in any one of the third-party apps and other patient-facing technologies that connect with a healthcare organization’s source systems further down the supply chain. As the digital healthcare supply chain grows in response to the increasing patient demand for digitization, healthcare cyber threats will increase as well.
The question of how to prevent such attacks is one of the major healthcare cybersecurity challenges today – and the challenge begins before a healthcare provider has even selected a third-party vendor.
What Are Healthcare Supply Chain Attacks?
Digital supply chain attacks are cyberattacks that exploit weaknesses in a third-party technology, or any point along the digital “supply-chain,” to gain access to valuable source systems or data warehouses.
In one of the most infamous examples of a supply chain attack outside of the healthcare industry, an advanced persistent threat (APT) group, supposedly directed from Russia, was able to plant malicious code in an update for a piece of network management software, called SolarWinds. Through this single entry point, the hackers managed to compromise sensitive data from a wealth of high-profile victims, including Microsoft, NASA, and the US Department of Homeland Security.
Though supply chain attacks existed long before SolarWinds, the scale of the attack – which is believed to have affected around 18,000 of the company’s customers – brought this growing cybersecurity threat into the public eye. “To say the SolarWinds attack was a wake-up call would be an understatement,” Wired tech journalist Lily Hay Newman wrote of the attack. “It laid bare how extensive the fallout can be from so-called supply chain attacks.”
Healthcare supply chain attacks function in a similar way. By finding a weak link in the “care-delivery” supply chain, commonly a third-party vendor, hackers can access source systems, such as electronic health record (EHR) systems, and potentially gain access to huge swathes of patient data that can include everything from financial information to lab results to medication history. This data, for example, can be stolen and sold on the black market or could be encrypted and held for ransom in what is known as a ransomware attack.
How Are Healthcare Organizations Exposed to Supply Chain Attacks?
Nowadays, more and more third-party apps are integrating with source systems, such as EHRs and revenue cycle management (RCM) systems. This practice creates a multitude of potential entry-points for hackers to exploit, increasing the risk of patient data being exposed.
With the growing patient demand for self-service digital tools to autonomously manage their health, providers have been rushing to accumulate third-party technologies to meet these needs. These third-party patient-facing technologies all make up part of the supply chain. In this landscape, it’s not uncommon to find a multitude of third-party apps for services such as bill pay, appointment scheduling, intake, and prescriptions all plugging into healthcare organizations’ source systems.
Unfortunately, the practice of combining multiple third-party apps can make these same organizations highly vulnerable to supply chain attacks.
The level of risk associated with patient-facing technologies was recently investigated by hacker and cybersecurity analyst Alissa Knight. Starting her investigation with application programming interfaces (API) built by the healthcare organizations themselves, Knight was unable to find any exploitable weaknesses.
Then, she moved on to the APIs built by data aggregators and other third-party apps that integrated with the healthcare providers’ source systems. Using entry-level hacking techniques, Knight was able to access more than four million patient records within minutes.
Why Is Combining Multiple Third-Party Apps One of the Largest Healthcare Cybersecurity Challenges?
The proliferation of third-party, patient-facing technologies essentially multiplies the number of potential vulnerabilities in any given system. When a single organization has multiple apps or technologies integrated into its systems, any of these technologies could be the weak link and act as a point of entry.
As the SolarWinds attack demonstrates, the fallout of a single breach can be earth-shattering. In 2021, a 12% quarterly rise in cyberattacks resulted in a 564% rise in the number of individuals affected due to a disproportionate rise in supply chain attacks. Rather than having to crack each safe individually, healthcare supply chain attacks are like giving cybercriminals a skeleton key that offers access to millions of patient files through a single breach.
To make matters worse, supply chain attacks can be hard to detect, since software supply chains tend to be vast and involve increasingly complex relationships and integrations. In healthcare, in particular, the problem can be linked to the sheer breadth of third-party apps that often connect with sources of patient data. This can mean that, as with SolarWinds, the source of the attack – and its fallout – are incredibly hard to trace.
For healthcare organizations, the challenge is twofold: How do you go about maintaining full oversight over multiple vendors at a time when IT departments are increasingly stretched and capable cybersecurity experts are hard to find?
From the perspective of cybercriminals, healthcare is a particularly attractive target – not least because of the extent of ePHI shared throughout the ecosystem and the potential for weaknesses in that same system.
Future-Proof Your Cybersecurity with the Right Patient Engagement Vendor
When discussing the mitigation of risk in healthcare supply chains, it’s important to understand where the risks lie.
While healthcare organizations have a great deal of control over their own security protocols, they may unknowingly heighten the risk of cyberattacks by sharing information with third-party vendors. That’s why the process of vetting these vendors is absolutely fundamental to mitigating risk.
To better protect your healthcare organization from healthcare cyber threats, healthcare organizations should ask themselves whether potential third-party vendors are reputable and if they implement the right cybersecurity tools and practices.
Cybersecurity Processes/Policies and Certifications
To ensure proper risk management, it’s important to partner with a company/vendor that has a vetted cybersecurity process/policy that you can rely on – today and tomorrow. Ultimately, a strict process of due diligence should take place in which organizations assess what information and access these third-party vendors will be given – and if that level of access is justified.
Bridge Patient Portal CEO John Deutsch believes this process of due diligence has been neglected recently as providers rush to implement more and more third-party applications and patient-facing tools. “What we see in the sales process is a lot of outdated vendor due diligence and onboarding processes and this is a major concern, especially as healthcare organizations are looking at vendors who have only been around a few years or are using antiquated technology,” he explains.
The objective is not simply for the vendor to tick a standard vendor onboarding box, but to have a dynamic vendor due diligence process that reflects the risk of that particular technology.
This includes ensuring, above all, that a prospective vendor has the relevant certifications (e.g., SOC 2 , HITRUST, ONC, etc.), existing business relationships with respected healthcare organizations, and that their cybersecurity policies align with that of the healthcare organization. Organizations should look deeper into whether high-quality encryption is in place, assess how the vendor handles data and disaster recovery, and identify whether backups of valuable data are regularly made.
As intermediaries between patients and healthcare organizations, vendors should be able to demonstrate high-quality development practices, compliance with HIPAA, good authentication practices, and a deep understanding of cybersecurity. This is explored more deeply in the third article in this series, which focuses on the best practices for securing patient engagement technology.
Of course, all of the above should be accompanied by regular pentests and strategic cyber threat intelligence. Vulnerabilities appear every day and keeping up to date with trusted sources is essential for every security team. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) regularly publish advisories and alerts on the latest attacks or vulnerabilities that may affect US companies.
Third-party company pentesting also plays a major role in helping to detect whether healthcare vendors’ systems are exposed to cyberattacks in advance and should not be the sole responsibility of the vendor. It’s usually better not to restrict assessments to technical capabilities alone, but also to assess the preparedness of your team against social engineering attacks or phishing campaigns. This isn’t, however, just a one-time thing. Vulnerabilities and risks can emerge at any time, so regularly revisiting security assessments is a must.
Simplifying Healthcare Supply Chains to Mitigate Risk
Another powerful way of mitigating the risk of supply chain attacks is for a healthcare organization to simplify their supply chain. This can be done by seeking out comprehensive third-party vendors, like Bridge – a complete patient engagement platform offering a wide range of patient-facing features and tools under a single unified system.
In negating the need for multiple patient-facing apps that each provide a single service, systems like Bridge can help lower the number of entry points for hackers, mitigate risk for healthcare organizations, and significantly reduce costs.
In the next article in this series, we go beyond the issues associated with using multiple third-party vendors to look at the ways that healthcare organizations can manage risk internally when integrating and using these technologies. We explore the common security mistakes that healthcare organizations make and delve into six of the most effective ways to avoid them.