Rise in Third-Party Data Breaches Requires Updated Risk Management Approach

February 06, 2023 - The recent rise in third-party data breaches warrants a reevaluation of third- and fourth-party vendor relationships, new data from SecurityScorecard and the Cyentia Institute suggested. As previously reported, the majority of the top ten largest healthcare data breaches reported to HHS in 2022 stemmed from third-party vendors.

The problem is not specific to healthcare — SecurityScorecard and the Cyentia Institute analyzed data from more than 230,000 organizations from all sectors and found that 98 percent of organizations have a relationship with at least one third party that has experienced a breach in the last two years.

“This does not mean that those organizations were involved or impacted by those breaches. It doesn’t even mean that the nature of the relationship between the victim and its third parties is such that the breach could propagate to them,” the report noted. “But, it does mean that nearly every organization is at least indirectly exposed to risk from circumstances outside their control.”

Researchers compiled their findings from a subset of data focused on 11,509 healthcare organizations. In addition to third-party risk, the report showed that half of the analyzed healthcare organizations had indirect relationships with at least 212 fourth-party entities that experienced breaches in the past two years.

“Third- and fourth-party vendors have become necessary for organizations' digital supply chains,” the report acknowledged.

However, with that shift comes a need to constantly evaluate and re-evaluate vendor relationships and ensure that vendors are holding themselves to the same high security standards that healthcare organizations are required to follow.

“Keeping up to date on patches, updates, and having a point of contact with your third party vendor can be a good way to ensure your organization is doing as much as it can to keep its cyber risk in check,” the report suggested.

Third-party risk was a popular discussion point at the HIMSS Healthcare Cybersecurity Forum held in Boston in December. Panelists discussed the challenges of managing an ever-increasing number of third-party vendors as healthcare organizations continue to outsource key functions.

“It really is about making sure you have established those interdepartmental relationships with your procurement team, your compliance team, your office of legal affairs, and your risk management team,” Kathy Hughes, vice president and CISO at Northwell Health, said during the session.

However, Hughes acknowledged that managing third-party vendor risk is a “very manual and labor-intensive process” with lots of friction.

The panelists agreed that there must be a better way to approach third-party risk, suggesting a model of constant surveillance rather than transaction-by-transaction assessments.

The SecurityScorecard report encouraged organizations to gain a complete picture of their vendor ecosystems, collaborate with vendors to improve security, and continuously monitor through automation.