A Shifting Cyber Risk Landscape?

The following is a guest article by Lorren Pettit, M.S., M.B.A., CEO and Principal at GeroTrend Research

“Patient data is a goldmine for cybercriminals. So, it’s not surprising that bad actors are aggressively targeting healthcare organizations,”  according to David Finn, Principal of Cyber Health Integrity and 2023 recipient of the Baldridge Foundation Award for Leadership Excellence in Cybersecurity.

The recent Oracle Health data breach, where cybercriminals leveraged Oracle’s system to steal patient data from multiple U.S. healthcare providers, represents the latest notable example of a healthcare organization successfully compromised by cybercriminals.

As the exact cause and impact of the Oracle Health breach become more widely known, one thing is crystal clear to Finn: the cyber risk landscape is shifting. “Bad actors increasingly favor exploiting the software vulnerabilities found in external solutions used by healthcare organizations to access their coveted patient data.”

Consider the following.

PIH Health (December 2024). A ransomware group infiltrated PIH Health Hospitals’ third-party IT systems, locking access to 17 million patients’ records and leaving patients unable to access medical care or prescriptions.

UnitedHealth Group (April 2024). A cyberattack caused by a vulnerability in a third-party billing system allowed hackers to breach UnitedHealth’s system and access millions of patients’ medical records, affecting the delivery of medical services and the processing of insurance claims.

Change Healthcare (February 2024). Exploiting weak access controls in a third-party vendor system used by Change Healthcare, hackers gained entry to 145 million patient records, causing widespread disruptions and payment delays across healthcare systems.

These anecdotal cases are supported by findings from the most current Verizon Data Breach Investigations Report. In their 2024 report, researchers found software supply chain interconnections (third-party software) accounted for 15% of breaches in 2024, up from 9% in 2022 and 2023 and 4% in 2021. Clearly, cybercriminals are increasingly finding these third-party software vulnerabilities a successful pathway to exploit.

Why Now?

A third-party software breach, often referred to as a supply chain attack, occurs when a security vulnerability or cyberattack on a third-party vendor, supplier, contractor, or partner leads to the compromise or theft of sensitive data belonging to an organization using the external vendor’s software solution. Though cybersecurity experts like Finn have long identified third-party vulnerabilities as a threat to monitor and manage, he points to a few potential reasons why cybercriminals are targeting third-party software vulnerabilities now.

The Cyber Fortification of Large Organizations

Larger organizations with “deep pockets,” the ones cybercriminals want to penetrate, are increasingly funding robust cybersecurity programs to include a fully staffed security operations center and several layers of security controls. To bypass these barriers, cybercriminals have shifted their focus to third-party software providers to exploit them as unwitting ‘Trojan Horses’ as a means to infiltrate and compromise the larger fortified companies.

Limited Contractual Security Requirements of Third-Party Solution Providers

Historically, larger organizations have tended to place blind trust in the security strength of third-party providers and failed to fully assess the risks associated with these vendors. There are suggestions that larger companies are moving towards tightening contractual security requirements to include actual technical security specifications and requirements for annual independent audits. However, these practices are not universal and continue to present as fertile ground for bad actors.

Increased Complexity of Third-Party Solutions

As software vendor solutions become increasingly complex, organizations often face challenges in tracking where their data is sent. Proprietary or sensitive information can easily be shared with suppliers and subcontractors that the contracting organization may know little or nothing about until it is too late.

Increased Integration of External Partners with AI Solutions

The Artificial Intelligence (AI) revolution in healthcare has spawned a cottage industry of software companies rushing to bring their products to market. As developers in startup companies understandably prioritize the creation and launch of their products, it’s not uncommon for them to neglect to properly check or fix known code vulnerabilities. With leading organizations maintaining a code flaw prevalence around 40%, it’s not unthinkable to find many of these smaller firms struggling with known code vulnerabilities twice that rate (or more).

What Leaders Can Do to Prevent Third-Party Security Breaches

Effectively managing risk from third-party software vendors can be difficult. This is especially true for large organizations with an extensive supply chain. That said, Finn notes there are steps health IT leaders can take to better understand their risk environment and mitigate the risk from third-party vendors.

Include Information Security as Part of the Sourcing and Selection Process

As IT infrastructure becomes increasingly integrated with external parties, it is critical that information security be considered during the vendor sourcing and selection process. Precedence should be granted to vendors with demonstrable information security capabilities, including how they work with clients with complex information security needs and how they comply with HIPAA, GDPR, etc.

Require Vendors to Independently Verify Their Information Security Practices

Third-party risk assessment tools and/or certifications can be enormously helpful in determining whether vendors are taking appropriate information security measures. Consider requiring compliance against an outside standard such as SOC 2 or the NIST Cybersecurity Framework (CSF). With code flaw prevalence so high in organizations, vendors should be pressed on what processes they have in place to ensure the ‘vitality’ of their coding practices.

Continuously Monitor Third Parties

As the threat landscape evolves, new vulnerabilities and attack vectors can arise unexpectedly. Periodic reviews can leave significant gaps in risk assessments, but nonstop monitoring brings full visibility into a vendor’s security practices and potential vulnerabilities.

Cybersecurity is a Shared Responsibility

As cybercriminals increasingly target the software vulnerabilities of third-party vendors, it is essential that healthcare provider organizations acknowledge that their cybersecurity posture extends beyond their own infrastructure and into their vendor relationships. By working together with vendors to proactively evaluate their security protocols, implementing comprehensive risk management strategies, and continuously monitoring vendor access, potential vulnerabilities can be effectively mitigated.

Neglecting this important aspect is no longer viable, Finn warns. To mitigate these risks, healthcare organizations need to implement robust third-party risk management (TPRM) programs. This includes assessing vendors’ security postures, enforcing security requirements in contracts, and maintaining visibility and control over vendor access to networks.  These are difficult things to accomplish from the provider side, everyone wants what they want, so you will need everyone involved in the purchase, acquisition, or deployment of any hardware or software.

“Something far too many healthcare organizations can attest to this past year,” says Finn.

About Lorren Pettit

Lorren Pettit, M.S., M.B.A., CEO and Principal at GeroTrend Research, is a digital health market researcher/product management executive and author of three digital health textbooks. With extended tenures in some of healthcare’s most renowned organizations (Press Ganey, HIMSS, and CHIME), Pettit’s “fingerprints” have shaped some of the most significant programs and products influencing the delivery of healthcare in the U.S.