Cybersecurity panel: Hospitals threatened by attacks aimed at vendors

Even as hospitals work to protect their systems from cyberattacks, they also have to worry about threats beyond the vulnerabilities in their own organizations.

Cybersecurity experts say hospitals can be exposed to breaches from their partners and vendors.

Chief Healthcare Executive® recently assembled a panel discussion on cybersecurity, and as part of the conversation, they weighed in on the risks of attacks aimed at hospitals’ business partners. This is the second installment from our panel’s wide-ranging conversation on cybersecurity in the hospital and healthcare industry. (If you missed it, check out our first episode on the scope of cyberattacks in healthcare.)

Our panel featured three top experts: John Riggi, national advisor for cybersecurity and risk for the American Hospital Association; Lee Kim, senior principal of cybersecurity and privacy at HIMSS; and Adam Zoller, the global chief information security officer for the Providence health system.

Watch our conversation in this video. The story continues below.

They pointed to the wide-ranging damage from the Change Healthcare cyberattack. The company works with most healthcare providers, and 100 million people were affected by the attack. Nearly all hospitals suffered financial damage and disruptions from the attack, the hospital association said.

Riggi noted that many attacks affecting hospitals and health systems come from breaches of their vendors.

“I would say, in my opinion, that the vast majority of attacks are related to third parties,” Riggi said.

“Generally, what the bad guys are doing are exploiting vulnerabilities in third party technology,” he explained. “As I remind folks, hospitals and health systems, we don't write our own operating system code. We don't build our own medical devices, per se. So ultimately, it's a vulnerability which is being exploited in third party software or some service provider.”

Read more: Cybersecurity and hospitals: Big risks come from third parties

Kim says that she’s seeing greater focus from health systems in guarding against risks from third-party vendors.

She also says vendors and business partners aren’t always doing everything they can to protect against cyberattacks, raising the risks for hospitals.

“We see vendors conducting risk assessments far less often than they should, security awareness training far less than they should,” Kim said.

Hospitals need to be in regular communication with their vendors and business partners, Kim suggested.

“So communication is key with your third-party vendor,” Kim said. “Have you talked with them about the extent to which they will notify you of a security incident? What kinds of incidents?”

Read more: Hospitals struggle to recruit and retain cybersecurity staff

Providence, which operates 51 hospitals and 1,000 clinics, deals with plenty of third-party vendors. Zoller notes that the attacks aimed at vendors poses a serious threat to Providence.

“I'm a firm believer that third-party risk is really the biggest risk domain pertaining to cybersecurity that we face as a healthcare system, and frankly, probably as a healthcare sector,” Zoller said.

Like Kim, Zoller said some third-party partners are more responsive and transparent about breaches than others. He didn’t name names but said some vendors can do better about communicating cybersecurity risks.

“Not all of these third parties handle issues or incidents in a way that's really forward leaning or in the best interest of their customer,” Zoller said. “In fact, oftentimes, what I find is that when these third parties have issues, they close up. They don't share information about the cybersecurity portion of the issue that they're dealing with, nor do they share details about the business disruption side of the house that they're dealing with.”

Check out the full discussion on the risks to hospitals from third parties in the video above.

We’ll present the third episode in our discussion on cybersecurity in hospitals next Monday, Nov. 11. Don’t miss it.

Read more: Healthcare data breaches remain most expensive of any industry