How Healthcare Security Leaders Can Mitigate Cybersecurity Risks

5 minute read

February 2023

Healthcare organizations have faced serious challenges in recent years, and while the pandemic has been a major focus, it isn’t the only thing that’s threatened their stability. According to Protenus, there was a 44% increase in the number of healthcare-related data breaches in 2022. Cybercriminals are increasingly exploiting system vulnerabilities to sell or ransom patient data. 

The Unparalleled Importance of Data Security in Healthcare 

Patient data is exceptionally valuable to cybercriminals due to its high price on the dark web. As such, healthcare institutions must be proactive about implementing internal practices, processes, and tools while motivating their vendors to follow suit. There is too much at risk to ignore the meteoric rise of cyberattacks on healthcare providers. 

How Do Cybercriminals Access Electronic Health Data? 

Phishing is a particularly serious threat to healthcare organizations. Some of the most catastrophic malware, ransomware, and data loss events are the result of phishing attacks conducted via email or using infected devices. And data retrieved via phishing can be used as a jumping-off point for more elaborate schemes, including buying and selling medical devices, filling fraudulent prescriptions, and taking out loans in patients’ names. 

Over the past few years, healthcare employees have become especially vulnerable to phishing attacks. Cybercriminals are creating more targeted emails, and healthcare employees’ labor-intensive schedules make it difficult to keep up strong security practices. This can lead to: 

  • Digital vulnerabilities, such as weak passwords or poor email safety
  • Physical vulnerabilities, such as misplaced devices and unlocked cabinets

Security mistakes made by employees, even accidental ones, can lead to massive data breaches. The importance of data security in healthcare should be taught to employees; they need to know how to recognize phishing attacks and protect the institution. However, internal breaches are not the greatest risk: The healthcare industry has struggled the most with third-party vendors. 

Third-Party Security Risks: Beyond Institutional Breaches 

One of the biggest cybersecurity challenges in healthcare is third-party risk. When a healthcare institution’s third-party vendors experience a cyberattack, it can be just as or even more catastrophic than if the institution itself were to be attacked: Protected Health Information (PHI) can get exposed, and the institution can face steep financial penalties. Effective third-party risk management in healthcare is critical. After all, vendors may not have the same level of security rigor, training, or policies. 

In June of 2022, the University of Pittsburgh Medical Center was forced to pay a $450,000 settlement after one of its vendors experienced a data breach, compromising 36,000 patients’ information. HIPAA-covered entities must evaluate their vendors thoroughly, because ignorance cannot protect an organization from penalties or fines. 

Managing Third-Party Cybersecurity Risks 

Cybercriminals aim to identify and exploit even the most minor vulnerabilities. The payouts are too lucrative for hackers to leave any encryption gap unpenetrated or any phishing method untried. That is why chief information security officers, chief privacy officers, and their organizations must work together with third-party vendors. They must establish standard policies, practices, and countermeasures to protect electronic private health information (PHI) wherever it is stored or transmitted. 

Healthcare institutions and third-party vendors need to have highly sophisticated intrusion prevention systems, firewalls, and vulnerability management systems. All parties must have common policies, practices, training and oversight to mitigate risk. Healthcare professionals work too hard to preserve and protect patients’ well-being to allow cybercriminals to jeopardize their financial and personal safety. 

Here are three ways to better protect against healthcare cybersecurity risks when it comes to third-party vendors:

1. Integrate TPRM policies into overall cybersecurity strategies. Treat vendors, partners, contractors, suppliers, and service providers as essential stakeholders in data security mandates.

If a third-party data breach can cause as much harm as an event on the internal level, then it makes sense to relate your external controls to those created by your cybersecurity team. By integrating policies across these domains, you can grant your cyber team visibility into the vendor ecosystem while providing useful benchmarks for your external control owners.  

After aligning cybersecurity risk management with third parties, you can evaluate aggregated control effectiveness, which allows you to see how vulnerable your organization is in any given area, but also to determine which vendors are performing well and which are dragging your aggregate score down. When your third-party risk management and cybersecurity functions are aligned, it’s easier than ever to identify problem areas and begin remediating risk.

2. Communicate what is at stake for employees, vendors, and other stakeholders in the case of a cyberattack. Help educate third-party employees on how to identify phishing attempts or malware. Data security and data loss prevention should be shared goals.

Cybersecurity breaches aren’t the sole province of cyber professionals: once a breach has occurred, it affects all areas of the organization. Regulatory fines involve the legal team and affect an organization’s finances, while reputational damage can reduce customer trust and impact your capacity to do business.  

By translating technical concerns into strong cybersecurity metrics, you can ensure buy-in from teams whose interests are less immediately tied to security. Then, you can use trainings and interdepartmental communications to keep other business units up-to-date on the practices that increase data security and reduce the chance that a breach will negatively impact your business.

3. Third-party security posture should be monitored, and underperforming vendors or contractors should be mentored, warned, or eliminated as providers. Hospitals are subject to fines and penalties for noncompliance, so third parties need to be held to higher standards.

HIPAA-covered entities are held responsible for violations in their third-party ecosystem, meaning it’s incumbent upon your organization to send regular due diligence questionnaires to third-parties who manage patient data.

When a third party underperforms, it’s important to weigh the costs of possible remediation plans and determine which option best fits your needs. Sometimes, an underperforming vendor can be pushed into performance by warnings and education. In other cases, it’s more expedient to replace their service with a vendor that better fits your needs. 

Healthcare organizations are highly-regulated for their treatment of patient data and highly-targeted by hackers seeking to sell it for profit. To learn more about due diligence and vendor evaluation, read this white paper from ProcessUnity. 

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit