Last year’s Blackbaud ransomware attack is estimated to have affected more than two dozen healthcare providers, with well over 10 million patients included in the current breach tally. More recently, a ransomware breach at CaptureRx – a vendor that assists hospitals with managing their 340B drug program – affected at least 17 other healthcare organizations.
The latest Ponemon Institute survey of 554 provider organizations found the majority have had one or more data breaches caused by one of their vendors. The average cost of these vendor-related data breaches was $2.9 million.
It’s clear that more advanced solutions are needed to assess and manage vendor risk in today’s world. In a two-part blog series, I will discuss technologies that Clearwater is leveraging as part of its Vendor Risk Management solutions and how the technologies can help you better understand the risk that vendors pose to your organization.
The inability to adequately predict, quantify and understand the economic impact that vendors pose to healthcare providers has become a major issue as third-party data breaches grow in frequency and severity.
The breaches mentioned earlier and others have different levels of financial impact for different entities, based their unique relationships with those vendors. Were the affected organizations considering the financial impact of a breach when they evaluated vendor risk?
Many healthcare providers rely solely on vendor security assessments as their only means of gauging risk. While vendor assessments might provide a good view into a vendor’s security program, we must remember that they are only control assessments, not true risk measures as they don’t consider the probability of a breach, nor the harm it would have on the covered entity. By relying on these assessments alone, an organization’s actual exposure is overlooked. Even if two vendors have the same security risk score, it does not mean that they are equally likely to be breached. Nor does it mean that the impact of a breach on one of its customers would be similar to another, as exposure from a vendor is unique to each entity.
The real risk indicator combines breach probability with estimates of harm to the organization based on its specific reliance on the vendor, the amount of sensitive data it maintains and other factors.
Clearwater has recently partnered with software innovator Cyberwrite to help healthcare providers better understand their vendor risk in financially quantifiable terms. Cyberwrite’s Vendor Risk Assessment platform goes beyond traditional security scoring solutions by estimating the probability of a breach and considering an organization’s unique financial exposure to a given vendor’s breach. The platform bases its calculations using statistical modeling leveraging a proprietary data set of actual breach occurrences.
The Cyberwrite platform combines internal and external data and is able to evaluate both inherent and residual risk to reflect an accurate risk score. Utilizing machine learning technology and big data, risk levels are quantified and presented in real time and on demand. Cyberwrite also helps prevent blind spots by ensuring that all vendors – regardless of their size or function – are monitored and analyzed.
Initially, Cyberwrite obtains external cybersecurity-related data about each vendor and other third parties using automated technology which enables intelligence gathering from the Internet and the Dark Web in a non-invasive manner. Based on this data, Cyberwrite generates an inherent risk score and benchmarks the vendor to industry peers in real time. A summary of vulnerabilities, attack surface, digital exposure, exposed credentials, technologies used and other information used to create the score is provided with drill down capabilities. This information, along with the vendor’s importance to your organization, estimates financial exposure (discussed below). The inherent score is useful, as it guides one in prioritizing the vendors to perform additional, more detailed assessments.
In the second stage of assessment, vendors can complete a NIST-based security questionnaire directly through the platform to provide data on their internal security programs. Cyberwrite’s proprietary algorithm combines data from both of these assessments to calculate a residual cybersecurity score and compares it to other companies similar to the organization, providing a relative frame of reference.
In addition to determining inherent and residual risk scores from external and internal security assessments, Cyberwrite estimates the financial exposure to your organization based on its unique relationship with each vendor. Your organization can enter in key data about your relationship with the vendor, such as number of ePHI records, number of financial records, and the amount of your organization’s revenue that is dependent on the vendor. The Cyberwrite platform calculates your organization’s financial risk and breaks it down by type of exposure.
Cyberwrite prioritizes your vendors based on financial exposure on a probability-adjusted basis. This analysis helps you focus your efforts on the vendors that are not only more likely to have a breach, but also on the ones whose breach can cause the most financial harm to your organization.
Cyberwrite leveraged its unique experience serving the cyber insurance industry to develop its Vendor Risk Assessment platform. Its machine learning technology taps into a proprietary database of breach occurrences and insurance claims from thousands of organizations.
Cyberwrite utilizes multiple data points in multi-dimensional tables and predictive analytics to estimate an organization’s exposure to financial fines, historical damages, business interruption costs, ransom events, financial theft, and more – all tailored to each vendor relationship. As new information is available, or as your relationship with the vendor changes, your exposure impact is updated, giving you real-time and meaningful risk indicators.
Clearwater’s Vendor Risk Management solutions, powered by Cyberwrite, provide you with the ability to more accurately assess and manage risk on your entire vendor portfolio at an affordable cost. Healthcare organizations can purchase a subscription to Cyberwrite through Clearwater, or Clearwater’s consultants working on their behalf can monitor a portfolio of vendors. Either approach enables the organization to discover risk blind spots, and drill down to focus on the ones that may cause the greatest harm to the organization. Risk ratings are monitored and updated to ensure vendor risk assessments are current, and measured in financial terms. This approach can be highly effective at ensuring action is taken to address risks where exposures are highest.