A cyber TPRM program could help make hospitals more resilient

By Jimmy Joseph, Advisory principal, and Steph Meehan, Advisory partner, Deloitte & Touche LLP

Hospitals and health systems rely on an ecosystem of hundreds—if not thousands—of suppliers, vendors, and partners to maintain business operations and help ensure patients have access to medical devices, medicines, and care.¹ Many of those third-party organizations rely on their own networks of suppliers. In this macroenvironment, outside entities that don’t prioritize cybersecurity can put their hospital and health system clients at risk.² A system of embedded resilience can help minimize those vulnerabilities.

The health care sector has long been a target for cyberattacks. As noted in a blog last year, ransomware attacks seem like they have become almost routine for hospitals and health systems (see Ransomware attacks are surging…are hospitals ready?). Fortunately, such direct attacks are usually detected early enough that countermeasures can be implemented. But patient data—and patients themselves—could be vulnerable when third-party organizations aren’t focused on their own operational resilience. Such risks can be more difficult to spot and guard against.

Consider this: Medical device manufacturers and pharmaceutical companies typically rely on a complex network of vendors, each of which could be vulnerable to cyberattacks and other disruptions. An unexpected break in a surgical-device manufacturer’s supply chain, for example, could delay life-saving procedures at a hospital. A malware attack on a pharmaceutical company could limit access to important medications.³

A successful cyberattack against a critical third-party vendor could cripple a health system’s operations. In 2023, 725 data breaches were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).⁴ Nearly 60% of those breaches were tied to a third-party organization—a 287% increase over the prior year.⁵ While hacking is a leading cause of health care data breaches, some disruptions are completely accidental. Human error and software failures can be just as dangerous to an unprepared vendor.⁶

A TPRM strategy can help ensure operational resiliency

A strong third-party risk management (TPRM) strategy with embedded resilience should be seen as table stakes for hospitals and health systems. The training in early detection should be similar regardless of the potential threat. Most early detection capabilities and strategies are transferable across a wide range of potential incidents. Here are several steps that can be considered when developing a TPRM strategy:

• Map the third-party risk: Given the number of organizations in the health care ecosystem, it could be impossible for an IT department to assess all of their vulnerabilities. Instead, the health system’s cyber team should identify their critical business functions. From there, a contingency plan can be developed so that there is a back-up plan if any third-party is disrupted.
• Evaluate vendors…and their vendors: Some third-party organizations might not have strong cyber programs in place. Moreover, many third-party vendors work with their own set of vendors—third, fourth, and fifth parties can be common across the ecosystem. It is important to make sure every group involved in supporting a core service area is managing their own risk. Check to ensure that vendors conduct periodic assessments of their vendors.
• Consider ongoing vendor monitoring: Risk-profiles can help health systems assess and prioritize the potential risks an outside organization might pose to patient data and/or operations. Consider creating profiles for each vendor that works with protected health information, or that supports a core service area. This could be an on-site audit, or an audit conducted by a third party. Organizations that pose a low risk might be asked to complete a self-assessment.
• Conduct table-top simulations: Table-top simulations can be an inexpensive component in assessing third-party risks. These exercises, which typically don’t require a substantial amount of planning, can help hospitals and health systems identify vulnerabilities and potential blind spots. While a simulation might not expose complex technical vulnerabilities, it could determine where an organization’s processes could be strengthened. Table-tops can also help demonstrate how prepared an organization is to respond or react to an incident.
• Update continuity plans: Health systems should have continuity plans in place in in case processes are compromised. This might include switching to manual procedures. Staff might need to go through some training to complete various processes on paper. Staff should undergo training so that they are able to activate that muscle memory if it becomes necessary.

Cybersecurity will likely be a top issue for health systems in 2025

Given the threat that cybersecurity attacks pose to patients and their protected information, cybersecurity legislation could have an impact on health systems, health plans, and their vendors.⁷ Legislation, for example, could empower the Department of Health and Human Services (HHS) to create and enforce minimum cybersecurity standards for health care organizations. It also could earmark federal dollars to help organizations upgrade technology. HHS has previously announced steps to enhance cybersecurity standards in existing programs.⁸

October is National Cyber Security Awareness Month, which should be a time to evaluate potential risks. Highlighting the risks posed by outside organizations is important, but articulating the potential impact on patient care and patient data could be more meaningful to leadership. Cybersecurity and IT leaders should try to paint the full picture that a third-party incident could pose on business operations. A strategy of embedded resilience can help protect hospitals and health systems from direct and indirect cyberattacks and help ensure core services aren’t vulnerable if a vendor experiences a disruption.

Latest news from @DeloitteHealth

Endnotes:

^{1_{Hospitals are paying for not vetting their vendors, Healthcare IT News, July 11, 2019}}

^{2_{Supply chain cyberattacks threaten health care, Healthcare Dive, September 19, 2024}}

^{3_{Ransomware hack hits prescription drug market, inconveniencing millions, The Washington Post, March 1, 2024;}}

^{4_{Healthcare data breach statistics, The HIPAA Journal, September 24, 2024}}

^{5_{Healthcare data breaches hit new highs in 2023, Modern Healthcare, January 25, 2024}}

^{6_{Impacts from global IT outage, Fierce Healthcare, July 22, 2024}}

^{7_{Cybersecurity bill would set industry standards, penalties, Modern Healthcare, September 26, 2024}}

^{8_{HHS announces next steps in ongoing work to enhance cybersecurity, HHS, December 6, 2023}}

^{9_{Cybersecurity Awareness Month, US Cybersecurity & Infrastructure Security Agency}}

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Return to the Health Forward home page to discover more insights from our leaders.