Healthcare Organizations Take Aim at Third-Party Cyber Risk
Hospital operators are taking a hard line on how their vendors and suppliers secure their systems, amid a string of third-party cyber incidents that have caused data breaches and lawsuits at healthcare providers. The Health 3rd Party Trust Initiative, an industry group comprising major healthcare providers, on Thursday published best practices for assessing the cybersecurity of suppliers, such as enforcing clarity about service expectations, specific questions to ask vendors and blueprints for resolving security issues.
“My board is quite engaged on this, they see this as being a significant risk that needs to be addressed and so it’s something that really is, frankly, my highest priority," said John Houston, vice president of information security and privacy, and associate counsel at the University of Pittsburgh Medical Center. The guide goes into detail in areas such as data handling practices and sample language for use in contracts with suppliers.
Other areas include recommendations on the frequency of supplier reviews, and metrics for reporting vendor risks across an organization. Third-party breaches, such as supply-chain attacks and direct compromises through vendors, are expensive for hospitals.
Research published by International Business Machines this week found the average cost of a data breach in the healthcare industry reached $10.9 million in 2023, a figure higher than for any other sector IBM analyzed. Recent breaches traced to the hack of Progress Software’s MoveIt product have also involved health systems, including Johns Hopkins All Children’s Hospital and the University of Texas Southwestern Medical Center, and government departments including the U.S.
Department of Health and Human Services. Expensive
. Read more on livemint.com
