May 14, 2020//Tony HowlettLast Updated: February 12, 2021
As the move to focus corporate resources on core business functions has increased and intensified, the outsourcing trend has impacted all sizes and types of companies. With the software as a service (SaaS) model becoming the norm within most enterprises, very few technology platforms are developed and maintained exclusively in-house. Even infrastructure is now routinely outsourced to cloud providers like AWS, Google, and Microsoft Azure.
Healthcare is no different than other industries in this regard, with even some core functions such as patient care being handled by third-party vendors. The difference is healthcare providers handle some of the most sensitive data there is in the form of personal health information (PHI). Strict regulations, such as HIPAA and HITECH, place limits on how this data must be handled and using third-party providers does not change that basic requirement. Most current laws around this subject require primary data holders to bind their vendors to the same standards they must meet and hold the healthcare entity (the primary data holder) responsible for its loss or disclosure.
This rush to outsource every possible function has led to a “tsunami” of vendor access into healthcare systems. And while healthcare entities use many outside vendors to fulfill various functions from back office to core, they must exercise the same level of care and supervision of them as they do over their own employees. A recent study by Ponemon Institute found that the average healthcare vendor breach costs $2.75 million and exposes nearly 10,000 records.
This “Wild West” attitude has led to a number of high profile data breaches and damaging ransomware attacks on healthcare institutions and their technology vendors. The Quest Diagnostic and Labcorp breaches were one of the largest, recent incidents where over 20,000,000 of their customer’s payment records, including services rendered, were stolen from AMCA, a collection agency they both used.
A few years ago, Britain’s National Health Service, the single-payer entity responsible for most of the country’s healthcare, was severely impacted when it was hit with ransomware with over 80 sites experiencing some downtime and limited services available to patients. In the ransomware department, PercSoft, a major cloud management provider for hundreds of dental practices lost key patient records when their systems were hit with ransomware.
The risks of breaches caused by a third-party to a healthcare entity is far larger than that of other industries. Besides the financial and reputational impacts, institutions or providers may be hit with fines or operational limitations due to regulatory violations. And with many of these outsourced services and technology being used directly for patient care, downtime can also create serious patient care impacts due to outages.
Third-party risks are an issue that most healthcare IT professionals are becoming acutely aware of due to these incidents and the resulting fines and regulatory actions. However, there are many barriers to getting your third-party vendor access under control. First of all, the sheer numbers. As previously mentioned, dozens or even hundreds of vendors accessing internal systems need to be inventoried and risk assessed. Sometimes this can be a Herculean task, with different departments using different systems and tracking methods. SaaS providers are making shadow IT a bigger problem than ever. Uncooperative application owners not wanting to give up control or information over their IT silos can slow the process down further.
Along the same lines, tracking all of this information and getting external users into your system can create serious operational workloads. If you consider that each of the aforementioned vendors might have 10 or more reps to be onboarded, you are quickly looking at hundreds or more credentials to manage. And the compliance part of this activity can be significant. According to a recent Hobson & Company study, the average enterprise spends 17,000 hours or 9 full-time employees per year tracking compliance related to third-party activity. Due to all of these factors, there is often internal push back on organizing and securing vendors, coming either from application owners or executives eager to benefit quickly from cost savings that outsourcing promises. And that is in addition to vendor push back on adding procedures or restrictions to their access. Vendors will generally want the maximum access and flexibility they can get as the SLAs they have to meet are usually based on performance and time to resolution of issues, not security.
So what can we do about this? Is there a path through these potential compliance nightmares? Though the standards and regulations on healthcare are varied and often vague with HIPAA, HITECH, HITRUST, and now a patchwork quilt of international, state, and local laws including GDPR, CCPA, and others, there is a commonality amongst all of them. When it comes to properly securing your vendors to limit third-party risk and to stay compliant, there are three main control areas to look at:
For this article, we’re speaking strictly in terms of technical controls. Policies, procedures, and other non-technical methods are a topic for a different day and article. These areas are pretty much the same things you want to be doing with your internal employees, but with extra factors for vendors.
For the remainder of this article, we will dive into each area and provide some best practices for what you should be doing to keep your vendors from causing compliance headaches, or worse, a major security incident.
Also known as the Identity and Access Management (IAM) practice, these are the processes and technology where your vendors get access to the systems they need to work on. Any IAM process designed for vendors should function with all the controls of an internal IAM process, but with some additional features. The challenge to overcome is that with employees, you are easily able to verify their identity during enrollment through your HR processes and, likewise, remove their accounts when they leave through your standard offboarding processes. With vendors, you don’t have visibility to the real-time employment status of each technician they employ, and don’t have an easy way to verify it. The best practice here is to have an onboarding and offboarding process that is regularly synced with employer records, either through a regular check-in or ideally an automated process. To accomplish this, there are technologies available that can help such as Privileged Access Management (PAM) and Vendor Privileged Access Management (VPAM). A cousin of PAM, VPAM, is software that automates the process and makes it more efficient if you are dealing with external vendors or other third parties. Whatever platform you use to manage your vendors, make sure a vendor account sync is done on a regular basis, and documented.
Once you’ve gotten your vendors into your system or networks, the next level in third-party remote access best practices is applying the concept of least privilege. This is the practice of providing only exactly the amount of access the vendor needs to do their job; no more, no less. It is a hard point to hit exactly, but most healthcare enterprises err on the side of too much access. If you are still providing your vendors with a simple VPN login similar to your employees, you are leaving far too much to chance. Employee accounts usually need access to general file storage, HR, and internal administrative servers that most vendors should never get near. A single co-opted vendor account on an unsegmented VPN can give an attacker almost unlimited access to areas on your network where vendors are never supposed to roam. This can include payment networks, patient care networks, dev systems, and other highly sensitive and valuable assets. And the danger isn’t just from hackers with malicious intent. Without the proper least privilege controls, well-meaning contractors can do work on the wrong system, patch or update systems that were supposed to be left alone, and make other mistakes that more specific access permissions and network segmentation would prevent. At the very least, vendors should be siloed off onto their own VLAN, containing only those servers they need access to. Ideally, there should be a group or user type per job, so that very specific permissions can be authored. Limiting access by network ports is even better. A website developer does not usually need access to a database or other protocols. And finally, being able to control the access by time and day and other temporal conditions is the cherry on top of the least privileged controls best practices.
Review and audit make up the third component of the vendor access management trifecta of best practices. The ability to monitor and review vendor activity on your systems is crucial, for three reasons. Being able to view vendor actions, ideally in real-time, gives you the ability to catch issues before they become incidents. If a vendor is doing something suspicious or errant, you want to be able to see it live or in the logs. Of course, this assumes a robust log review program or active SOC/SIEM. But, if you don’t collect the data to begin with, you can’t review the data. And in the event of an actual incident, having very granular logs can make putting the pieces back together and determining root causes much easier. Regulators are increasingly adding third-party risk management and controls on vendors to their audit and exam checklists, so having details about vendor activity is important for compliance too. Some applications even allow you to record whole interactive sessions and log every keystroke a vendor does. This will both please examiners and improve your incident response process.
We have talked about the issue of third-party vendor access and how it affects healthcare compliance. Significant compliance risk exists in providing access to third parties. However, these risks can be ameliorated or controlled by following best practices in the areas of identification, control, and audit. While not silver bullets for eliminating all third-party risk, doing so will certainly limit and contain any damage vendors can do to your compliance posture.