Healthcare providers and vendors struggle with some of the same IT security challenges.
When working with vendors around security issues, healthcare organizations need to go beyond the business associate agreement (BAA) required by HIPAA. They should conduct annual security assessments of their vendors and include date-specific security remediation requirements in their vendor contracts.
Above all, they need to work with the vendors who are willing to improve their security so that both groups are more secure.
Choosing vendors with the resources and drive to focus on security should be a top priority.
David Finkelstein, Chief Information Security Officer at St. Luke’s University Health Network, noted that small vendors can struggle due to a lack of financial resources to invest in security.
“About 80 percent of healthcare vendors are only focused on a niche area of healthcare, such as scheduling or lab results,” Finkelstein told HealthITSecurity.com.
These vendors may only be able to invest $100,000 in capital to create a niche product that can generate substantial revenue for the healthcare organization without costing too much to produce, explained Finkelstein.
Unfortunately, that means that the vendors don’t often have extra cash to spend on security improvements.
It can cost between $30,000 and $40,000 for a vendor to deploy data encryption or antivirus in their system, he noted.
Steve Crocker, Director of Information Security for Methodist Le Bonheur Healthcare, agreed that the small size of many healthcare vendors poses a security problem.
Historically, many healthcare organizations have not focused on cybersecurity issues. As a result, many of these smaller vendors have gained access into systems and data without sufficient security controls. That can leave security teams with a difficult job to manage.
“Some of our projects have been slowed down because now we’re having to go through the additional steps of doing a vendor risk assessment on each and every vendor. But the culture is getting used to [doing a risk assessment] now. It really pays off,” commented Crocker.
At the same time, some of the large healthcare vendors are also reluctant to spend more on security at the request of the provider, Finkelstein observed.
“The larger healthcare vendors understand that they are often the only thing out there,” he said. “Nobody pushes back on them. And I know this because I am one of only five or six people that have ever pushed back at these vendors to get them to be more secure. And it takes months to get it done,” he added.
With all of the challenges vendors face improving their security, what can healthcare providers do to help vendors and ensure their systems are secure?
Healthcare providers’ role in vendor security
While vendors should focus more on security, some can’t and some won’t. Yet, it’s the healthcare provider that could pay the price for poor vendor security practices.
“If I’m sitting down talking to another CISO, my recommendation is always to ask the vendor questions. What do you do for antivirus? What do you do for encryption? What do you do for firewalls, auditing, access to your system, etc.? How does all that work together?” advised Finkelstein.
“If they give you a lot of, ‘Well, we don’t do that,’ or ‘We have very minimal standards,’ or whatever the case may be, my recommendation would be to back off that vendor really quickly. The ones that will jump at the chance to brag about what they do security-wise are the people you want to work with,” he added.
“If I’m sitting down talking to another CISO, my recommendation is always to ask the vendor questions.”
Crocker also stressed that the healthcare organization must go beyond the HIPAA-mandated BAA.
A BAA focuses on protecting PHI, not preventing data breaches. So healthcare providers need to ensure vendors implement additional measures to keep their systems secure.
“We go beyond the BAA. That's been a source of pushback from some of the vendors, who sometimes say, ‘Well, we have a business associate agreement with you so, why do we need to do this assessment?’ It’s an educational process.”
Crocker said that his organization tries to cooperate with vendors to improve their security. Methodist Le Bonheur does security assessments to see if the vendor has any identifiable cybersecurity vulnerabilities and then works with them to fix those vulnerabilities.
“Many times, we'll put a contract addendum that is date-specific. It states that the vendor will remediate these particular vulnerabilities by this date,” Crocker noted.
“In the beginning, they all tell you that you're being unreasonable; you're the only person that's ever asked them for this. In reality, they’re getting asked this by many covered entities. Eventually, it gets better,” he said.
Methodist Le Bonheur Healthcare does annual security assessments of its vendors based on risk.
“When it comes time for the assessment, we contact the vendors, and they have a package premade. It includes their security certifications, their financials, their insurance certifications, policies and procedures,” said Crocker.
“I would advise healthcare providers to define some baseline requirements that you want your vendors to abide by.”
CORL Technologies CEO Cliff Baker agreed with Crocker that BAAs are insufficient by themselves to ensure vendors security. Atlanta, Georgia-based CORL provides healthcare vendor security risk management solutions.
Organizations need two key answers from vendors regarding data security, Baker explained.
One is an assurance from the vendor that it can protect PHI.
“Assurance means that either they get some sort of third-party security certification, or they can provide documentation evidence that they have an adequate security program in place. I think that’s one expectation that healthcare organizations need to start setting for their vendors,” Baker said.
“The second key concept is to enforce accountability to remediate security issues. Threats change all the time. As soon as vendors are notified that they have a security issue or risk, they need to make sure that they remediate it. And they need to remediate within an acceptable timeframe for the healthcare organization,” he added.
Baker recommended that healthcare organization put remediation timelines or remediation expectations into their vendor contracts. Vendors are becoming increasingly willing to agree to these contract provisions.
“This is an issue on the mind of every board today. The exposure is too high. I think the tide is turning, and it’s going to become a requirement at some point for vendors that work in healthcare to be able to honor those expectations,” Baker said.
Leke Adesida, Chief Compliance Officer at Ciox Health, also recommended that healthcare organizations be proactive with their vendors.
“I would advise defining some baseline requirements that you want your vendors to abide by,” he said. “If a vendor is not going to agree to meet a security baseline, the likelihood of you being able to rely on them is probably suspect.”
“The second thing is that healthcare organizations really need to build their relationship with the vendor. Oftentimes, it’s a once a year check-in. But things change quickly in this environment. You have to keep in close, tight contact with your vendor because the issues you’re dealing with as the covered entity are probably the same things your vendors are dealing with,” Adesida said.
What can vendors do to improve security?
Good security hygiene should be a foundational element of a vendor’s business plan.
In 2017, a number of vendors were hit by WannaCry ransomware because they didn’t patch their systems in a timely way. WannaCry targeted a Windows 7 vulnerability for which a patch was available.
“If you don’t have good hygiene and processes, the environment will fall down all the time. When your covered entities come in and do an assessment of the environment,, they are going to find out that you don’t have those good, sound processes in place,” Adesida cautioned.
“Healthcare records are not like financial records where somebody can be made whole if there is a breach or loss. You can’t just give them a new credit card and refund their money,” he noted.
Adesida recommended that small vendors participate in industry groups to learn what others in the healthcare industry are doing to improve security and to benefit from the shared knowledge from those groups. That way, they don’t have to go it alone when it comes to security.
Helping vendors improve their security is essential for healthcare provider security.
“Every aspect of healthcare organization operations today relies on vendors for critical parts and services,” Baker said. “Healthcare organizations can no longer ensure the security of the data if the vendor is not doing their part to keep that information protected.”
Sometimes, vendors put software or devices on the healthcare provider’s network. If that software or device has security flaws, it could expose the rest of the organization to a security breach, Baker warned.
Healthcare organizations are sending millions of records daily to vendors, whether it is for research, clinical analytics, patient engagement, or billing and payment purposes. Once the data leaves the organization, vendors are accountable for that data, and there’s little the organization can do to prevent a breach, Baker noted.
Cybersecurity Framework, Certification Needed
Crocker recommended that vendors get a security certification so they don’t have to answer security questionnaires from each customer.
“In most cases, a security certification eliminates the need for us to ask the vendor additional questions, because most of that information is going to be in the security certification,” he said.
Crocker also recommended that vendors build a strong cybersecurity program that includes risk management and employee training.
“It's always helpful if vendors follow a particular framework, whether that be the NIST Cybersecurity Framework or HITRUST framework,” he said.
Finkelstein agreed. “Vendors have to follow a standard,” he said. “There are many security standards out there that can help them in ensuring that they do what healthcare needs them to do. Some of the options are NIST, HITRUST, and the ISO 27000 series. Or they can get SOX [Sarbanes-Oxley] compliance certification.”
“I will tell you the ones that are the most successful here at St. Luke’s to get through my process are the ones that already have a SOX certification or an ISO 27000 series - some type of certification that shows me immediately not only do they care about security, but they are diligent about constantly upgrading their systems to maintain that certification.”
A recognized certification can start the vendor-customer relationship off on the right foot, Finkelstein added.
“It’s part of what vendors can do to become better business partners for healthcare organizations, especially for organizations that have people like me that are going to beat them up if they don’t have the right security.”
Healthcare organizations rely on a plethora of vendors of all sizes for support, including processing and maintaining data, providing analytics, and performing operational tasks.
Vendor security is one of the biggest risk for healthcare organizations and one of the biggest sources of frustration for CISOs.
Once healthcare organizations put their own security house in order, they need to make sure their vendors are looking after their security house as well. Failure to do so could cost organizations money and downtime.