August 06, 2019//Tony HowlettLast Updated: November 19, 2020
As the lessons learned from the LabCorp and Quest Dianostic’s patient data hacks fade from our collective memory, we must remember that attacks on corporate health systems and government networks are occurring with greater frequency and impact. Breaches due to third-party vendors being given too much access to systems, networks, and applications have resulted in the exposure of millions of patient data files – and the number of instances is going up.
While protection from a vendor data breach involves many of the same practices used to protect IT resources from other threats, there are some steps specific to third-party protection that can prevent or lessen a catastrophic breach.
There are four actions every healthcare organization should take to avoid third-party data breaches. They are:
Given the obvious risks in granting a third-party vendor access to your enterprise means due diligence should be a centerpiece of your defense strategy. A vendor security risk assessment must be part of the new vendor acquisition and contracting process. That assessment should involve a vetting process that occurs both before and after contract signing. Having a process to regularly review vendors should include understanding changes in their security posture, financial condition, and other risk factors. A program of continual assessment (annually is sufficient) will keep your vendors on their toes and you informed of any emerging risks.
Sharing credentials is the cardinal sin of most compliance regulations and is a definite no-no. While it may be convenient to assign a vendor to a single account, shared credentials make it impossible to attribute a root cause to any damaging action or activity. So, if you are managing vendor credentials in your internal directory services you may want to consider delegating this to your vendor rep since they have more day-to-day knowledge of their employees’ status. Plus, it keeps you from having to sync up lists frequently to prevent terminated vendor employees from having access to your systems.
Vendors tend to be given “broad spectrum” VPN access to corporate assets even when they only need access to one or two servers – or even a singular database. And yet vendors are routinely given full protocol and administrative access. Handing over full network access to vendors is usually carried out in the name of efficiency, given the difficulties of manually isolating networks and creating the proper vendor access controls. However, new tools and technologies now exist to automate these tasks. Vendor Privileged Access Management (VPAM) can limit and contain vendors permissions while giving them sufficient access to what they need to do their jobs. Specifically, vendors are given least privileged access which ensures that vendors only have access to the necessary resources to provide support.
It’s not enough to know every user who can access your corporate resources and have them fenced in to prevent collateral and deeper damage in the event of malicious activity. Good logging and audit tools are essential, both to catch trouble before it happens and track down the source after an incident. Vendor access audit data should be centralized and easy to access.
These basic, but important steps are easy to implement and help prevent third-party breaches. More sophisticated methods include enhanced real-time monitoring, anomaly detection, patch management, and endpoint protection. These 4 steps are urgent and should be the drivers behind implementing a vendor management program that will greatly mitigate your third-party vendor risk.
This article was originally published on Becker’s Health IT & CIO Report.