Nearly Half of Healthcare Organizations Suffered a Third-Party Security Incident in Past Year

What You Should Know: 

– Imprivata, a digital identity company, today released a new global research report conducted in collaboration with the Ponemon Institute. The report, titled “The State of Third-Party Access in Cybersecurity,” reveals that third-party data breaches continue to pose a significant threat to organizations worldwide.

– The study, which surveyed nearly 2,000 IT security practitioners across various industries, found that 47% of organizations experienced a data breach or cyberattack involving a third-party accessing their network in the past 12 months. This figure is consistent with findings from a similar study conducted two years ago, indicating that the problem is persistent and pervasive.

Key findings of the report include: 

• Ongoing Threat: 64% of respondents believe that third-party data breaches will either increase or remain at current levels over the next 12-24 months.
• Expanding Attack Surface: Nearly half (48%) of organizations agree that third-party remote access is becoming the most common attack surface for cyberattacks.
• Significant Consequences: Data breaches caused by third-party access have led to the loss of sensitive information, regulatory fines, and damaged relationships with vendors.
• Visibility Challenges: 35% of respondents are unsure how cyberattacks perpetrated through third-party access occurred, highlighting a lack of visibility into vendor activity.
• Resource Constraints: 41% of respondents cite insufficient resources or budget as a major barrier to mitigating third-party risk.

The Need for Improved Third-Party Risk Management

The report underscores the urgent need for organizations to strengthen their third-party risk management strategies. While awareness of the risks associated with third-party access has increased, many organizations struggle with inconsistent and immature security practices.

The report outline the following key recommendations:

• Enhanced Visibility: Implement solutions to gain greater visibility into third-party access and activity on the network.
• Access Control: Enforce strict access controls and least privilege principles for third-party vendors.
• Continuous Monitoring: Continuously monitor third-party activity for suspicious behavior.
• Regular Security Assessments: Conduct regular security assessments of third-party vendors to ensure they meet security standards.
• Incident Response Planning: Develop and test incident response plans to address potential breaches caused by third-party access.

“Third-party access is necessary to conduct global business, but it is also one of the biggest security threats and organizations can no longer remain complacent,” said Joel Burleson-Davis, Senior Vice President of Worldwide Engineering, Cyber, at Imprivata. “While some progress has been made, organizations are still struggling to effectively implement the proper tools, resources, and elements of a strong third-party risk management strategy. Cybercriminals continue capitalizing on this weakness, using the lack of visibility and uncertainty across the third-party vendor ecosystem to their advantage.”