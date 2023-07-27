Hospital operators are taking a hard line on how their vendors and suppliers secure their systems, amid a string of third-party cyber incidents that have caused data breaches and lawsuits at healthcare providers.

The Health 3rd Party Trust Initiative, an industry group comprising major healthcare providers, on Thursday published best practices for assessing the cybersecurity of suppliers, such as enforcing clarity about service expectations, specific questions to ask vendors and blueprints for resolving security issues.

“My board is quite engaged on this, they see this as being a significant risk that needs to be addressed and so it’s something that really is, frankly, my highest priority," said John Houston, vice president of information security and privacy, and associate counsel at the University of Pittsburgh Medical Center.

The guide goes into detail in areas such as data handling practices and sample language for use in contracts with suppliers. Other areas include recommendations on the frequency of supplier reviews, and metrics for reporting vendor risks across an organization.

Third-party breaches, such as supply-chain attacks and direct compromises through vendors, are expensive for hospitals. Research published by International Business Machines this week found the average cost of a data breach in the healthcare industry reached $10.9 million in 2023, a figure higher than for any other sector IBM analyzed.

Recent breaches traced to the hack of Progress Software’s MoveIt product have also involved health systems, including Johns Hopkins All Children’s Hospital and the University of Texas Southwestern Medical Center, and government departments including the U.S. Department of Health and Human Services. Expensive class-action lawsuits often follow, which can cost millions of dollars, even if a hospital’s systems were never breached.

Despite the string of attacks, healthcare providers are more vulnerable than ever to hackers, thanks in part to shifts to the cloud that rapidly accelerated during the coronavirus pandemic, and the expanding use of internet-connected devices in clinical settings. The risk has grown so great that some hospitals have even developed specific emergency codes ordering the shutdown of devices in the event of an incursion by hackers.

Hospitals are having a hard time coping with the oversight that their suppliers require even as they become ever-more reliant on them, said Shenny Sheth, deputy chief information security officer at Centura Health, who said he has three or four cybersecurity staff working full-time on assurance programs with hundreds of suppliers.

Complaints about the length of time it takes to get information from suppliers aren’t uncommon, said UPMC’s Houston.

“I now have to rely upon a lot of other third parties to secure my data. It’s just not one, it’s not 10, it’s not 20, it’s hundreds," Houston said. “They often want to act like and function like a black box, meaning it’s very difficult to get really good concrete, detailed information about those third parties’ security programs."

At the same time, security executives say, suppliers are swamped with questionnaires and assurance requests from their clients. Producing a comprehensive and standardized set of best practices will help both parties, said Omar Sangurima, principal technical program manager at Memorial Sloan Kettering Cancer Center.

“At the very least we can all say, ‘OK, this is table stakes, this is what you need to do business in this area,’" he said.

Sangurima said the best practices developed by the group are designed to work for healthcare providers of all sizes, not just companies that operate dozens of hospitals across states. He said he hopes projects such as this, along with industry standards that govern data privacy, can enable smaller healthcare organizations to implement mature security programs.

“You don’t have to sit there and reinvent the wheel yourself as a smaller organization. You can grab it, it’s ready-made, and it’s cogent," he said.