Third-Party Breaches on the Rise in Healthcare

Third-party breaches pose one of the biggest challenges in cybersecurity. These attacks occur when hackers compromise a vendor, supplier or other organization associated with the target. The goal is to gain access to sensitive information or systems for financial gain.

The last few years have seen increasing breaches targeted at healthcare institutions. Such attacks have far-reaching repercussions as they affect the hospitals and their patients. As the healthcare industry adopts more interconnected systems and technologies, stakeholders must revamp their cybersecurity measures to protect against severe financial and reputational losses.

The Rise of Third-Party Breaches in Healthcare

A recent report shows that nearly 35% of cybersecurity incidents in 2022 involved third-party attacks aimed at the healthcare sector. This represents a 1% increase in the frequency of attacks from 2021.

Similarly, 55% of healthcare organizations reported experiencing a third-party data breach between 2021 and 2022. Only the financial sector recorded a higher percentage with 58%. These two industries have one thing in common — they both rely heavily on an extensive network of third parties, any of which represent a potential vulnerability in an organization’s cybersecurity landscape.

These statistics tell a worrying story with two even more troubling conclusions. One is that hospitals and related institutions are being targeted for cyberattacks more than most. The second is that the industry must step up its efforts to prevent data breaches.

What Are the Most Common Third Parties in Healthcare?

Third-party partnerships are crucial in healthcare. They offer various essential services supporting these organizations’ daily operations. Some of the most common third parties include software as a service providers, outsourced data centers, insurance companies, marketing services and computer hardware suppliers.

Each vendor has access to tons of private information that malicious actors may find enticing. For example, a 2023 study shows that over 98% of hospital websites send visitors’ data to third parties, including advertising firms and data brokers.

As necessary as these partnerships are, every third-party agreement adds to healthcare providers’ cyber-risks. The interconnected ecosystem of these relationships means that a successful breach in one area can destabilize the entire security infrastructure.

Such was the case with the Red Cross breach in 2022, which compromised the private data of 515,000 people across 60 locations worldwide. Hackers attacked a third-party data storage center in Switzerland, stealing volumes of sensitive information in one hack.

Why Third-Party Attacks Target Hospitals

It’s easy to see why the healthcare industry is a prime target for malicious actors. Hospitals are a treasure trove of valuable, sensitive information — medical records, insurance details, Social Security numbers, names, addresses and more.

In the wrong hands, this information could be worth a lot of money. According to a 2022 Senate cybersecurity whitepaper, medical records can sell for up to $1,000 on the black market, 10 times more than the cost of credit card details.

Hackers can also use stolen diagnostic information to blackmail patients. No one wants their medical condition publicized, especially if it can be used to initiate attacks on their person. This explains why the financial implications of successful attacks tend to be higher in the industry. A data breach in healthcare between 2010 and 2019 cost $429 per record compared to $150 per record in other sectors.

Lastly, cybercriminals usually aim to disrupt public infrastructure, as is the case with ransomware attacks. Hospitals make ideal targets as they cannot afford interruptions in their everyday activities. Imagine if a hacker could control the power supply to a healthcare facility. Patients on ventilators would be impacted, emergency services could shut down and many vital records may be lost.

Threat actors know that hospitals are more likely to pay a ransom to restore their operations than lose the functionality of their digital networks.

Defending Against Third-Party Breaches

The healthcare industry can employ several measures to ensure a more robust cybersecurity framework and prevent third-party attacks. These include:

1. Assessing Vendors Before Onboarding

Hospitals must perform adequate due diligence before onboarding vendors and suppliers. An easy way to do this is to evaluate the third party’s security history and current measures employed. Research shows that 98% of analyzed organizations have a relationship with at least one partner that has experienced a breach in the last two years.

Assessments allow healthcare providers to better understand a potential vendor’s security posture and what risks they may be vulnerable to.

2. Incorporating Risk Management Into Service Level Agreements

This practice will not necessarily prevent a third-party attack, but it ensures vendors are accountable if breaches occur. Hospitals can fortify their infrastructures and minimize cyber-risk exposure by placing a certain level of responsibility on partners to maintain high levels of security.

3. Adhering to the Principle of Least Privilege (POLP)

Many third-party data breaches occur because vendors have more access to systems and private information than they need. POLP is a cybersecurity concept that limits users’ access to strictly what is required to do the job. For example, SaaS vendors have no business having access to patient information.

4. Measuring Fourth-Party Risk

Just as it is crucial to understand third-party risk, hospitals must also have a basic overview of their vendors’ relationships and cyberthreat exposure. This ensures a more resilient end-to-end security infrastructure.

5. Continuously Monitoring Third-Party Risks

A third party’s security measures may lag over time, increasing the hospital’s susceptibility to evolving cyberthreats. That’s why it’s crucial to continuously monitor their vendor’s security controls and ensure they’re up to par with the most recent systems and best practices. Healthcare providers must also constantly monitor their defense mechanisms and upgrade them as needed to prevent internal data breaches.

Rising Third-Party Breaches in Healthcare

Cyberattacks against the healthcare sector have increased in recent years. The industry’s vulnerability makes it the perfect target for third-party data breaches. These risks aren’t going away soon, and hospitals must implement the necessary measures to ensure stronger relationships and a more robust cybersecurity infrastructure.