6 Ways Vendors Can Build Confidence Their Products Meet Security Standards
Digital health innovation continues to change care delivery. With it, there’s an explosion of new data, more data-sharing with third parties, and an expanding and constantly-evolving attack surface.
So, it’s not surprising that healthcare is grappling with larger breaches and more targeted cyberattacks because threat actors understand that healthcare’s sensitive data is valuable and that infiltrating systems and networks can cause widespread and impactful disruptions, making healthcare leaders vulnerable to their demands.
In fact, healthcare is the most common industry hit by third-party attacks, and according to the FBI, it is the most targeted critical infrastructure industry for ransomware attacks.
In 2017, for example, healthcare had more than 5 million patient record exposures. By 2022, that number exceeded 52 million.
The average cost of a healthcare breach has also been on a rapid uptick, with a 42% cost increase between 2020 and 2022. Healthcare is also notorious for having the most expensive cost of a breach, averaging $10 million. And it’s not just money that cyberattacks cost healthcare organizations; there are indications that mortality rates are increasing as a result of cyberattacks, too.
For digital health leaders, this means that earning the trust of healthcare organizations and providers is harder than ever. A gap in their cybersecurity strategy could equal a weakness in the cybersecurity strategies of their customers. Without the ability to demonstrate a commitment to cybersecurity and HIPAA compliance, earning trust and developing new partnerships can be incredibly difficult, effectively throttling an organization’s ability to scale and return value to investors.
Are Your Digital Health Technologies Secure?
Healthcare CISOs constantly think about risk, especially when new technologies, services, or applications become part of their organization’s attack surface. If you’re a digital health vendor and you want to work with a healthcare organization, those CISOs will want to know you’re doing everything possible to ensure their data is protected.
Here are some of their common concerns:
1. Maturity of your security program
One of the most pressing issues for healthcare CISOs is the practices and controls of a vendor’s security program. They want to know if a vendor has a reasonable and appropriate level of security program maturity and what it looks like.
Some vendors incorrectly think that using a cloud services provider like Amazon Web Services (AWS), which is a HIPAA-compliant environment, means they can check security concerns off their lists of must-dos. The reality is that CISOs want to know that vendors have additional controls on their end to protect that environment, that they’re constantly monitoring it for changes, and that they will adjust controls and processes as necessary.
Other things CISOs may ask about your security program:
- Are you using an established framework, for example, the NIST Cybersecurity Framework?
- Do you have a baseline set of controls that represents an appropriate security level?
- How is security incorporated into your software development lifecycle (SDLC)?
- What do your vulnerability management and patching processes look like?
- Are you penetration testing your controls to see if an attacker can exploit vulnerabilities? Do they work as intended?
When it comes to security programs, however, there are some common vendor pitfalls you should be conscious of overcoming. For example:
- Vendors may exaggerate which controls or security programs they have in place, CISOs know how to spot this.
- Some vendors will refer to SOC2 or HITRUST reports that only cover certain areas or parts of a business or technology and aren’t in scope for the relationship with the healthcare organization.
- Some organizations have immature HIPAA compliance programs, yet they receive ePHI. Some are willing to sign business associate agreements even if their program doesn’t support required ePHI security and privacy protections.
2. Risks technology introduces to the organization
CISOs also want to know how much risk their organization will incur relative to the value digital technology brings. They understand there’s always some level of risk introduced, but with a third party, they will want to know how they’ll benefit from that partnership and the potential impact on business to weigh the tradeoff.
They may ask:
- What is the impact of your technology on our business or clinical processes?
- If data flows through your systems, where is the data coming from? How is it accessed? Where is it going? Where is it stored? What’s created?
- Do you perform ongoing risk analysis? Do you have your own risk management program? Do you understand your organization’s unique vulnerabilities and threats? Are you monitoring continuously? What methodology do you use?
- What risk will a device introduce when connected to infrastructure? Can it break something?
- There will also likely be questions about your cybersecurity insurance and/or assumption of liability.
In terms of risks, here are some vendor common pitfalls that cause concern for healthcare CISOs:
- Offshoring data storage or resources
- Slow response to a security questionnaire or lack of transparency during a risk assessment
- Lack of flexibility when it comes to risk remediation
3. Incident response and resiliency
Even with the best risk analysis, risk management, and mature cybersecurity programs, the reality for most organizations is it’s not an issue of if a breach will occur, but when. That’s why many CISOs are concerned about vendor or technology resiliency in the wake of an incident.
They’ll want to know:
- Your organization’s (or technology’s) resiliency if an attack or breach occurs
- How well you monitor your environment for threats
- Your ability to detect and respond to a threat actor
- Your ability to recover from an attack. Will your platform be available or what would the impact to availability be during a security incident? Can you recover from that?
- Your ability to notify your partner and collaborate during an incident
Here are some areas where vendors sometimes fall short:
- Making commitments to business associate agreement terms that can’t be met
- No incident response plan
- No business continuity or disaster recovery process
Meeting Security Challenges Head-on
With a little understanding of what healthcare organizations will expect from your digital technologies, your organization can proactively demonstrate to new and existing customers that you take cybersecurity seriously and that your programs reflect industry best practices.
Here are a few suggestions that may help:
1. Use a standard-based approach for your security and compliance program
This is commonly cited by CISOs as one of the top things they want to see in a vendor security program, and they really like it when you’re using frameworks they’re familiar with, such as:
- NIST Cybersecurity Framework: By implementing this framework, you can demonstrate your focus on specific outcomes you want to achieve and where you want to take your security program. This particular framework isn’t prescriptive by design. It’s intended to be flexible based on each organization’s unique needs.
- CIS Top 18 Security Controls: Once you’ve settled on a framework(s), you’ll need to implement controls to meet your objectives. CIS Top 18 Security Controls are a great place to start. These controls check a lot of important boxes healthcare security professionals should think about first.
- 405(d) Health Industry Cybersecurity Practices: The government worked with the healthcare industry to create this set of 10 security practices to address the most common threats in healthcare. It consists of three volumes based on your organization’s size and provides security practice guidance you can implement that is appropriate for an organization of your size.
- HIPAA Security Rule: If your digital health technology processes ePHI, you must be HIPAA compliant. There is no HIPAA certification, but it would be beneficial to get an annual third-party assessment that demonstrates you’re meeting HIPAA standards.
2. Certifications and attestations
Your customers may have specific certification requirements based on your industry. Here are a few examples that may be beneficial for working in healthcare:
- HITRUST
- SOC 2 Type 2
- Cybersecurity Maturity Model Certification 2.0 (required for Department of Defense contractors and subcontractors)
3. Perform risk analysis across all systems with ePHI that are essential for operations
CISOs will also want to know if your organization conducts ongoing assessments to reasonably anticipate ePHI vulnerabilities and threats and how you will address them.
In this context, the terms risk assessment and risk analysis are often used interchangeably, but it’s important to note that with respect to ePHI and the HIPAA Security Rule, there are specific requirements your organization must meet for an Office for Civil Rights (OCR) approved risk analysis, including:
- Ensure comprehensive scope of the analysis
- Document information asset inventory
- Document potential threats and vulnerabilities (risks)
- Assess current security measures (controls)
- Determine the likelihood of threat occurrence
- Determine potential impact of threat occurrence
- Determine level of risk (likelihood x impact)
- Finalize documentation
- Update as required
4. Implement a reasonable and appropriate technical testing program
Healthcare CISOs will likely ask you about your systems and people to make sure you’ve got a reasonable and appropriate testing technical program. They’ll want to know:
- Your systems and people: Are you doing internal and external vulnerability scanning to identify weaknesses? Do you understand how attackers can exploit them? Are you conducting internal and external pen testing to test safeguards? Have you conducted phishing/social engineering testing to assess awareness of social engineering tactics?
- Your products and apps: Have you built security in the SDLC? Is it included in your apps from the ground up? Are you conducting static application security testing to find and fix vulnerabilities in your source code? Are you doing web app and mobile app penetration testing to identify misconfigurations and security weaknesses?
5. Monitor your environments for threats
Healthcare CISOs are also concerned about what you’re doing to monitor your environment for threats across people, processes, and technologies. They’ll ask how you:
- Identify and manage vulnerabilities?
- Manage firewalls and cloud security configurations?
- Utilize endpoint detection and response software?
- Manage and analyze log files?
- Investigate and respond to incidents?
6. Be resilient enough to withstand and recover from an incident
Another area CISOs may talk about with you is plans you have to address incidents before they happen and if you test those plans periodically through tabletop exercises. They’ll be looking for:
- Incident response plan: Do you have instructions or procedures to detect, respond to, and limit the consequences of malicious cyberattacks against your organization’s information system?
- Business continuity plan: Have you developed a predetermined set of instructions or procedures that describe how you will sustain your organization’s mission/business during and after a significant disruption?
- Disaster recovery plan: Have you created a written plan for recovering one or more information systems in response to a major hardware or software failure or destruction of facilities?
- And finally, have you tested your organization’s effectiveness at responding to an incident?
As a digital health technology provider, you can use your security program as a competitive advantage to win customers and to build confidence with them that you’re doing the right things to ensure their patients and patient data are safe.
Because your attack surface and the threat landscape are rapidly changing, consider partnering with an MSSP specializing in healthcare cybersecurity and compliance. They can help monitor your environment and keep pace with changing healthcare regulatory requirements without overtaxing your staff.
