Hospital operators are taking a firm stance on the cybersecurity measures implemented by their vendors and suppliers. This comes in response to a series of third-party cyber incidents that have led to data breaches and legal action in the healthcare industry. The Health 3rd Party Trust Initiative, which consists of major healthcare providers, has released a set of best practices for assessing the cybersecurity of suppliers. These practices include emphasizing service expectations, providing specific questions for vendors, and outlining steps for resolving security issues.
John Houston, Vice President of Information Security and Privacy at the University of Pittsburgh Medical Center, acknowledges the significance of this issue and prioritizes addressing it. The guide published by the Health 3rd Party Trust Initiative offers detailed information on data handling practices, sample contract language for suppliers, recommendations for supplier reviews, and metrics for reporting vendor risks throughout an organization.
Third-party breaches, including supply-chain attacks and compromises through vendors, have proven to be costly for hospitals. In fact, research conducted by International Business Machines (IBM) reveals that the average cost of a data breach in the healthcare industry reached $10.9 million in 2023, surpassing other sectors.
Notably, recent breaches involving Progress Software’s MoveIt product have affected health systems such as Johns Hopkins All Children’s Hospital and the University of Texas Southwestern Medical Center, as well as government departments like the U.S. Department of Health and Human Services. These incidents often result in expensive class-action lawsuits, even if a hospital’s own systems were not breached.
Despite facing a string of attacks, healthcare providers are more vulnerable to hackers than ever before, partly due to the increased adoption of cloud technology during the COVID-19 pandemic and the growing use of internet-connected devices in clinical settings. The risk has become so significant that some hospitals have enacted emergency protocols to shut down devices in the event of a hacker incursion.
Shenny Sheth, Deputy Chief Information Security Officer at Centura Health, explains that hospitals struggle to maintain oversight of their suppliers while becoming increasingly reliant on them. Sheth has dedicated three to four full-time cybersecurity staff members to assurance programs involving hundreds of suppliers. A common complaint among hospitals is the extended time it takes to obtain information from suppliers.
To address these challenges, the Health 3rd Party Trust Initiative has established best practices that benefit both hospitals and suppliers. Standardizing these practices will streamline the process and enable healthcare providers to evaluate suppliers effectively. Omar Sangurima, Principal Technical Program Manager at Memorial Sloan Kettering Cancer Center, emphasizes the importance of these best practices, stating that they set a baseline for doing business in this field.
Sangurima adds that these best practices are applicable to healthcare providers of all sizes, not just large hospital companies. He hopes that initiatives like this, combined with industry standards for data privacy, will help smaller organizations implement robust security programs without needing to start from scratch.
In conclusion, hospital operators are taking proactive measures to ensure the cybersecurity of their vendors and suppliers. By establishing best practices and emphasizing the importance of security, healthcare providers aim to minimize the risk of data breaches and associated lawsuits. These efforts are crucial in an era where hospitals are increasingly targeted by hackers due to their reliance on third-party suppliers and the adoption of new technologies.
Denial of responsibility! VigourTimes is an automatic aggregator of Global media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.
