Healthcare providers work with many vendors, such as billing organizations and platforms for communicating, to continue servicing patients. With the growth of these networks comes a lot of risk. A recent example of this was when a large vendor that was providing billing services to VITAS Hospice Services had their account hacked; the hacker was able to access sensitive patient information without ever touching the core systems of VITAS Hospice Services.

The number of breaches resulting from a vendor has been increasing since 2008. Hospitals have security budgets; however, many times the vendors do not have the same standards for securing their networks and data. The following are common examples of poor cybersecurity hygiene at many of these vendors: weak passwords, outdated software, unencrypted email, and not monitoring employee Network Access Control (NAC) properly. These represent easy targets for cyber-crime. The result of a breach on a vendor has serious, negative repercussions for the healthcare provider, including regulatory scrutiny, loss of reputation, loss of patient trust, and potential liability.

Cyber-attacks are causing a rapid increase in the financial impact of data breaches on hospitals. Currently, hospitals have the highest cost of a data breach compared to any other industry, and third-party vendors involved in a data breach only exacerbate the financial impact on the provider. Providers have to invest in forensic investigations, notification letters, monitoring services, and potential compensation to be made viable to the affected consumers. Even when the data breach occurred through vendor systems outside of their network, the provider still has to bear the financial and operational burden of an attack.

The amount of disruption to Patient Care is another hidden cost associated with data breaches. The focus hospital teams place on responding to the breach means that they will not be able to carry out the essential functions of the hospital as fully or efficiently as before. This may require taking the necessary systems down for examination, thus adding to the burden of workload for staff members and delaying treatment or communication to the patient. The impact of delayed treatment or communication will have a devastating impact on patients receiving hospice care, where coordination of service in a timely manner is critical.

Today’s healthcare providers must take full advantage of every avenue available to them to proactively strengthen their vendor networks. Continuous monitoring of vendor access to any healthcare institution, a greater emphasis on security contractual requirements with vendors, detailed risk assessments regarding vendors’ operations and their risk profile, and regular audits of vendors’ security practices will become the new standard operating procedure for all healthcare organizations.

In a system where networks rely on multiple vendors to provide services, the security of each network will only be as strong as the weakest link in that network. As a result of this, maintaining very strong cyber hygiene practices across all vendor networks is essential not only to avoid potential financial penalties but also to maintain the level of trust and well-being of the patients served by the system.