Healthcare organizations have been investing in cybersecurity to improve their defenses against increasingly numerous and sophisticated cyberattacks; however, while an organization’s security posture can be improved, it can only be as good as the weakest link.
Cybercriminals are increasingly targeting the supply chain in their attacks, as these are usually the weakest links in the security chain. Healthcare organizations typically contract with many different vendors which are often provided with sensitive data or privileged access to healthcare networks. In 2022, data breaches at business associates increased to the point where reported data breaches with business associate involvement outnumbered the data breaches at healthcare providers. Many of the data breaches at business associates affected dozens of healthcare clients. Assessing and managing supply chain risk is now one of the biggest cybersecurity challenges in healthcare.
A recent study conducted by SecurityScorecard and the Cyentia Institute explored the reasons why data breaches at third parties and fourth parties are now so common. The report –Close Encounters of the Third (and Fourth) Party Kind – was based on data from more than 230,000 primary organizations and 73,000 vendors and products used by those organizations.
Third parties and fourth parties introduce risk but managing and reducing those risks to an acceptable level can be a monumental challenge due to the complex interconnected web of third- and fourth-party relationships. For example, SecurityScorecard looked at one small company – a website code developer that provides code that determines how website visitors interact with websites. Approximately 12,500 organizations use that company’s code on their websites, and there are 232,000 fourth parties with relationships with those organizations. While those 232,000 organizations do not have a direct relationship with the company, 98.7% have an indirect, once-removed relationship with the website code developer. If the company’s code were to be compromised, almost 229,000 companies would experience some level of exposure.
Third and Fourth Parties Much More Likely to Have Poor Security Ratings
SecurityScorecard investigated the extent to which third-party vendors are used. The analysis showed that, on average, organizations use around 10 third-party vendors. In healthcare, the average was 15.5. That calculation is based on third-party vendors that are visible from outside-in scanning of an organization’s Internet-facing infrastructure using SecurityScorecard’s Automatic Vendor Detection. While these numbers are relatively low, there are expansive fourth-party relationships. Each organization typically has indirect relationships with between 60 and 90 times the number of fourth parties as third parties.
Third and fourth-party data breaches are incredibly common. More than 98% of primary organizations said they had a business relationship with a vendor that experienced a data breach in the past 2 years, and almost half of the organizations had indirect links to at least 200 fourth-party vendors that had experienced a data breach in the past 2 years. Security Scorecard also assessed the relative security of first parties and third parties. Twice the number of primary organizations (38.4%) had the highest security rating of A compared to third parties (17.7%), but more concerning is third parties were almost five times as likely to receive a security rating of F as primary organizations. An examination of fourth parties found that they were 10x more likely to have a failing security grade than an A. Poor security ratings do not necessarily mean an organization will experience a data breach, but SecurityScorecard’s analysts determined that firms with poor security ratings were 7.7% more likely to experience a data breach.
“Many organizations are still unaware of the dependencies and exposures inherent to third-party relationships, and simply focus on managing their own security posture. Others are aware of those issues, but don’t make vendor decisions based on security and/or require vendors to meet certain standards. Even firms that do establish third-party security requirements can struggle to continually monitor compliance and progress,” explained SecurityScorecard in the report. The good news is that organizations are now paying much greater attention to vendor risk, with Gartner reporting that 60% of companies now use cyber risk as a significant determinant when conducting third-party transactions.
As cyber actors focus their efforts on the supply chain, managing third and fourth-party risk has never been more important. While this can be a challenge, the first step is to gain visibility into your entire vendor ecosystem, as without that visibility it is not possible to accurately assess risk and make informed decisions. Once those third and fourth parties have been identified, the security posture of those organizations needs to be assessed. SecurityScorecard also recommends collaborating with those vendors and helping them to improve their security, and using automation to continuously monitor vendors’ cyber risk and generate alerts when there are notable changes to their security posture. That then allows organizations to be more proactive and help their vendors address vulnerabilities before they are exploited.
The post 98% of Organizations Use a Vendor That Had a Data Breach in the Past 2 Years appeared first on HIPAA Journal.