Third-Party Vendors As An Insider Threat

Thank you to Aisha Berry for sharing her blog.

Aisha Berry, "Data Is The Next Patient!"(TM)
Founder and Principal Consultant, CyberSec Health Consulting
data@cybersechealth.com
www.cybersechealth.com

Third-Party Vendors As An Insider Threat

By Aisha Berry

Cybersecurity threats are continually evolving in healthcare continuously. Insider threats are malicious threats originating from within the organization full-time or part-time employees, independent contractors, interns, and other staff. Insider threats can be the most harmful in healthcare organizations. Due to the increase and various types of personnel and working remotely, the security is more vulnerable, allowing threats to enter, resulting in necessitating attention on the inside.

Healthcare organizations at times unknowingly pose a risk to themselves by contributing to insider threat behavior activity. From excessive work hours to sharing credentials, a hostile work environment to feeling unappreciated makes healthcare institutions vulnerable and predisposing to threats and attacks. Insider threats are consistently the most significant risk to healthcare data each year. Did you know approximately 47% of healthcare organizations were affected by insider threats? However, insider threats aren't the only culprit causing data breaches. External threats are a concern as well. According to Verizon's Data Breach Investigation report, external threats triggered more data breaches than insider threats in 2020. However, both external and insider threats have a commonality, insidious attributes. Data breaches are not discovered promptly and lay dormant. On average, a data breach is identified and contained in 350 days and victimized to an alarming rate of 45%. Attack methods vary, correlating with the industry type. Insider threats are influencing by various kinds of threats, such as behavioral, organizational, and technical issues.

Third-Party Vendors

Third-Party Vendors can compromise their client's security by negligence, deliberate actions, harmful access, and improper use. Therefore, performing a risk management assessment on the third-party provider is important. Furthermore, doing so allows healthcare organizations to perform adequate due diligence, such as sourcing a reputable and trustworthy company across the vendor ecosystems. Also, to ensure secure practices, healthcare organizations should be aware of security practices implementing within their company, such as awareness training, audits, patches, updates, internal risk analysis, the process for authorizing access to PHI?

When determining if the risk appetite correlated with the security goal in mind, it's crucial to ensure high compatibility with the third-party vendor. For example, installing IDS systems, network packet analyzer, and SIEM tools can monitor unusual and suspicious network activity, disabling former employee accounts, and performing password audits can mitigate the risk of third-party attacks. And organizations can perform their due diligence by using methods in detecting anomalous network activity, revealing insider threat activities and behaviors within their organization. Although it's time-consuming, however, establishing baseline traffic protocols and process traffic data is ideal in an event.

Healthcare organizations can conduct risk assessments before service finalization

Determine Risk Criteria

In aid to the risk appetite, determine the risk tolerance levels by measuring the risk levels. In effect, the security program is aware of the organization's requirements protecting against confidentiality, integrity, or availability compromise. PHI and compliance risk are focal areas for healthcare organizations.

Vendor Classification

Several vendors may work with one healthcare organization and can pose a risk due to different risk levels. Therefore, vendor classification is essential; based on the organizations' risk criteria, application management, network, and data support.

Vendor Assessment

Performing Vendor Assessments in a variety of ways, such as onsite, virtual, or questionnaires. It's critical to perform an onsite assessment due to the accuracy of results received, and for high-risk vendors, onsite assessments are ideal. If you use a questionnaire, answer legitimacy may be inaccurate, increasing threat levels in your organization. Creating a detailed and answer-specific questionnaire is ideal to receive adequate responses.

Addressing Vendors' Risk

Successfully identifying and addressing risks, create a remediation plan with a timeline, steps to take when managing risks, and create a plan to monitor vendor progress on addressing the steps.