Securing Healthcare and Managing Third-Party Risks

Across industries, IT leaders have growing confidence in their organizations’ cybersecurity visibility, according to the 2024 CDW Cybersecurity Research Report.

However, there is still room to grow; in healthcare specifically, some 34% of IT decision-makers believe their organization is still missing sufficient or effective employee training for cybersecurity, and 31% believe they still have an incomplete understanding of how artificial intelligence impacts security.

Of particular interest this year is the impact of external vendors on security and operations. During the 2024 CHIME Fall Forum in San Diego, healthcare IT leaders discussed the need to get back to basics and strengthen their third-party risk management.

Dr. Zafar Chaudry, senior vice president and chief digital officer and chief AI and information officer at Seattle Children’s, shared how his team discovered that, in preparing for a downtime scenario, business continuity machines for Epic were connected to printers that were not totally usable. Paper supplies and photocopying capabilities were also limited, overlooked in an increasingly digital world.

“You really have to focus on getting the basics right. Many health systems excel in the innovation space but don’t necessarily dig into the basics,” Chaudry said.

Theresa Meadows, senior vice president and chief digital information officer at Cook Children’s Health Care System, echoed that thought. Organizations often focus on the electronic health records system, making sure it remains accessible during downtime, but Meadows argued the importance of having access to phone numbers and scheduling. “If I can’t even find the nurse who needs to come into work to look at the EHR that’s in our disaster recovery instance, we need to do a better job at figuring those pieces out,” she said.

Healthcare workers are familiar with regular certification processes for CPR, for instance, so practicing downtime procedures should be just as habitual because it’s also part of the care process. “We fail sometimes because we focus so much on how we get the technical pieces back up and running,” Meadows said.

Healthcare organizations need to be particularly thoughtful when it comes to managing their third-party vendors, whether they are inviting that partner into their network or gaining access to their services.

“Each assessment is different,” Chaudry said. “You have to contract correctly. You have to look at their security posture. You have to have frequent audits ... You also have to test yourself. Penetration testing is really important.”

Fostering a solid relationship and including that third-party partner in security exercises will be worthwhile for healthcare organizations.

In the future, Chaudry hopes that vendors can create an automated identity access management solution for privileged access adjustments to improve end user experiences and free teams from manually fulfilling those cumbersome requests.

When discussing a national event that affected many healthcare organizations, Meadows said that’s when her team realized how much visibility they lacked into all the ways that particular vendor’s product was used in their organization. That is why business continuity plans are important, she stressed.

Also, when companies go through acquisitions, it should be standard for them to notify their customers, consistently and openly.

“Software asset management and contract asset management are critically important,” Meadows said. “Ensure that you’re getting the right transfer of licenses.”

Diversification is not a bad thing, she added, and it keeps organizations from putting all of their eggs in one basket.