Inside The Technology Protecting Healthcare From Supply Chain Cybersecurity Attacks
By Scott Mace
With cybersecurity risks on the rise at hospitals and health systems, third-party access has been identified as a point of vulnerability. While preventing these types of breaches presents special challenges, there are actions organizations can take to mitigate risk.
SecZetta is a provider of technology that helps organizations execute risk-based identity access and lifecycle strategies for non-employee populations. With its technology, organizations can collect third-party, non-employee data in a collaborative and continuous manner to improve operational efficiency and accuracy in granting access, streamlining compliance audits, assessing risk, providing identity verification, and deprovisioning access as needed.
Such technology is now being utilized by hospitals and health systems seeking to safeguard supply chain processes, such as vaccine creation and distribution. It provides a way for these organizations to proactively provide cybersecurity and breach protection.
Recently, SecZetta CEO David Pignolet answered HealthLeaders’ questions about how his company’s technology does what it does, amid the security challenges that healthcare-providing organizations face.
HealthLeaders: Describe the typical third-party cybersecurity event, and how it has impacted the creation and distribution of COVID-19 vaccines.
David Pignolet: In the typical third-party cybersecurity event, identity credentials for third-party users are often compromised. These compromises make managing the identity lifecycle for third-party users extremely important for organizations that grant third-party access to their internal systems and data.
On average, companies take about 197 days to identify and 69 days to contain a breach, according to IBM, so it is probably too soon to really understand the extent as to the cybersecurity incidents related to the distribution of the COVID vaccine. In fact, the
Mandiant Security Effectiveness Report 2020 found that 53% of successful cyberattacks infiltrate organizations without being detected, and 91% of all incidents didn’t generate an alert.
While it’s unlikely that companies know if they’ve been hacked, there are things that can be done to strengthen their defenses and understand any potential vulnerabilities now. Some of the most effective ways of understanding potential “weak” spots in your cyber defense program are by hiring “red teams” or “white hat” hackers to attack your organization. Weaknesses identified can be shored up immediately to prevent real attackers from succeeding.
HL: How do cybersecurity firms shut down third-party access in the event of a breach?
Pignolet: Most organizations have no automated way to remove or suspend third-party access in the event of a breach. This is because the automated identity processes, which have been at the heart of access methodology for employees, typically do not exist for third-party users. Current methods for providing third-party users with access at the majority of healthcare organizations still rely heavily on very manual processes focused on coordinating access approvals across the line of business and IT through a series of emails, phone calls, and maybe an IT ticketing system.
However, leading healthcare organizations have begun to adopt third-party identity lifecycle risk applications to automate these onboarding processes, including the collection of valuable data on the new users, such as the name of their employer, what credentials they have, who their sponsor is, what they need access to, and how long they will need access. This is invaluable information in the case of a breach.
For example, with a third-party identity lifecycle risk solution, healthcare organizations can automate the removal of access for third-party users, based on their employer or other factors in their profile—like their location, type of access, or their risk score. Access removal is fast and comprehensive, yet no user information would be lost, and access can just as quickly be restored once adequate security controls are confirmed to be back in place. The timely removal of access in a breach would be almost impossible for healthcare organizations without a third-party identity lifecycle risk solution.
HL: The SolarWinds breaches represent a new, pernicious form of cybercrime. Is the industry rethinking trust and certification issues in light of SolarWinds?
Pignolet: For too long, third-party risk management has been a compliance-driven exercise in most organizations. The breach data tied to third parties best illustrates the point—59% of all breaches are related to third parties, a pretty startling statistic. (According to an Opus Ponemon study, more than half of all data breaches (59%) can be traced to third parties and only 16% of organizations say they can effectively mitigate third-party risks.)
These breaches are generally tied to third-party users. This is because third-party risk management processes are typically defined at an organization level, but there is no consideration for the third-party users that are actually granted access.
While organizations should be on high alert, alarmingly, most don’t even know who their third parties are, or how many third parties they have (According to a 2018 Ponemon Institute supply chain study, most organizations don’t even know their exact number of third-party users and only a third of organizations had a list of all third parties they are sharing sensitive information with).
There are many ways that organizations are trying to reduce their third-party risk exposure. From an identity perspective, many organizations have adopted zero trust and “least privilege” practices to reduce over-provisioning employee access. However, because many lack an authoritative source of information for their third-party users, they don’t have the information or context needed to apply these policies to some of their most risky users. By adopting a third-party identity lifecycle risk solution, organizations are able to implement Zero Trust and “least privilege” practices across their entire workforce ensuring better outcomes from these strategies.
HL: Will supply chains face new forms of government regulation in the wake of SolarWinds, and how can technology meet new challenges presented by such regulation?
Pignolet: I don’t believe that regulations will fall to the supply chains, but rather to the organizations that utilize them as part of their business operating model. It will be incumbent on them to ensure the security controls are in place to protect the integrity of their business operations and their customers data. It is hard to say exactly what form the regulations will take, but the unfortunate consequence of most regulatory action is that it drives a compliance vs. a security mindset. This can actually further handicap organizations as they may believe by meeting the demands of the regulation they are adequately protected.
Scott Mace is a contributing writer for HealthLeaders.