55% of Healthcare Organizations Suffered a Third-Party Data Breach in the Past Year

Cyberattacks on businesses have been increasing year over year across all industry sectors, and there has been an increase in cyberattacks involving third parties. From the point of view of a cyber threat actor, it makes more sense to attack a vendor such as a managed service provider, as if the attack is successful, the threat actor will be able to gain access to the networks of the company’s clients. Already in 2022, there have been several major cyberattacks on vendors used by healthcare organizations, one of which impacted 650 of the company’s HIPAA-covered entity clients.

SecureLink, a provider of access management solutions for businesses, has recently explored how businesses are managing the risk associated with providing vendors with privileged access to their systems and has identified areas where the risks are not being effectively managed, even though efforts are being made to improve cybersecurity.

For SecureLink’s latest report, The State of Cybersecurity and Third-Party Remote Access Risk, the company surveyed 600 U.S. companies across a range of industry sectors, including healthcare, to learn more about their cybersecurity practices and how they are managing third-party risk.

55% of healthcare organizations that responded to the survey said they had experienced a third-party data breach in the last 12 months, which was the second highest percentage of all industry sectors, beaten only by the financial sector where 58% of companies had experienced a third-party data breach. Both of these industry sectors rely heavily on third parties, and those third parties have access to sensitive data that is of high value to cybercriminals.

Please see the HIPAA Journal Privacy Policy

65% of healthcare organizations said they did not feel that their IT systems are making third-party security and access a top priority, and across all industry sectors, 50% of companies said managing third-party security is overwhelming and a drain on internal resources.

Organizations had a budget of $365 million for IT in 2021, of which $78.5 million of which is spent on cybersecurity – Around 21.5% of the IT budget, yet despite the investment in cybersecurity, 54% of organizations experienced a data breach in the past 12 months. 52% of respondents said there had been an increase in cyberattacks compared to the previous year, and the number of third-party attacks increased from 44% to 49%.

The survey confirmed that organizations are starting to understand how to keep their systems and data safe; however, the number of cyberattacks is increasing and so is the sophistication of those attacks. The result is little headway has been made, with many organizations struggling to innovate their cybersecurity as fast as other aspects of their operations.

The SecureLink survey indicates organizations are failing to treat third-party vendors relative to the security risk they pose. For example, in 2022, only 49% of organizations had a comprehensive inventory of all third parties that had access to their systems. This is an improvement from the 42% in 2021, but only slightly. There has been a greater percentage increase in organizations that have identified all third parties with access to their most sensitive data, rising from 35% in 2021 to 45% in 2021, but the figure is still worryingly low.

“While there is a statistically significant increase in terms of identifying third parties, that number is hovering under 50% while the reliance on third parties and a remote workforce is trending upwards. And while there is an increase in those measures, organizations are still finding managing third-party access to be overwhelming. All those numbers add up to a major risk point,” said SecureLink.

One of the main problems that organizations face is the complexity of their third-party relationships, which was stated as a problem by 48% of respondents. Added to that is monitoring is often a manual process, which is not a great use of internal resources that are already stretched. The survey revealed only 36% of organizations have automated the process of monitoring third parties. With a lack of monitoring and automation, it is not surprising that 47% of respondents said they are not highly effective at detecting third-party threats.

“The biggest challenge businesses face is having the manpower to manage third-party identities and cyber risk. With more streamlined systems and automated workflows, access is more manageable and less burdensome on employees,” said SecureLink. “Automation and efficiency are key factors in a successful cybersecurity strategy. Using security technology to streamline operations creates efficiency, which in turn, will be more effective in mitigating threats and pulling in/retaining talent to manage cybersecurity.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.