By Nadia ElKaissi, CHTM
Picture a state-of-the-art hospital, where robot caretakers are zipping down the hallways and doctors are evaluating patient data using AI-driven diagnostic tools. Although the cutting-edge technology may seem more appealing for patient care, what the clinical staff did not realize, is that the technology was coded to function and send data to a third-party vendor. In this scenario we run into the issue that even though the goal is to improve the efficiency of evaluating and diagnosing patients, it may end up increasing the risk factors associated with exposure to sensitive patient data.
As the advancement of technology progresses, the increase in vendor support follows suit, consequently elevating the risk of breaches of patient data. It is for this reason that health care environments need to enforce a strong cybersecurity program that oversees and assesses the risk associated with external vendor access. This is a crucial step in protecting patient data and upholding the integrity of hospital services.
There are several different ways health care professionals may manage external vendor access, including:
- pre-selection evaluation
- strong contractual agreements
- continuous monitoring of vulnerabilities
Pre-Selection Evaluation/Risk Assessment
Before equipment is considered for purchase, there should be a thorough evaluation conducted on the system. The evaluation should include if the equipment meets the needs of the health care environment, and also whether it meets the hospital’s safety and integrity standards. When reviewing the vendor support, it is important to review security protocols such as data encryption, access controls and authentication processes. You should be analyzing the vendor’s experience in a health care environment and the type of ongoing vendor support they will be providing – especially with the increase in vendor support options that are moving to cloud solutions.
It is important to review the vendor’s data protection policies and ensure it aligns with hospital policies. By doing the groundwork and detailed investigation up front, it will eliminate a significant number of risks that can be associated with selecting the wrong system.
Strong Contractual Agreements
For any external vendor support, it is imperative that a strong contractual agreement is established and thoroughly outlines the cybersecurity responsibilities of the vendor. The document should include clearly defined standards and requirements that the vendor must adhere to. There should be detailed information describing what areas access is required and the function, data protection and security.
In addition, there should be a concrete list of access controls with a topology diagram to line out the communications. Multiple parties should be involved in the evaluation of the contract to evaluate any legal or security requirements that need to be included. By addressing these elements, you are mitigating potential risks associated with vendor support. Consistent reviews and updates to the contract are necessary in order to ensure all cybersecurity risks are addressed and any regulatory changes are documented.
Continuous Monitoring of Vulnerabilities
Once the external vendor support is established, the work does not stop. As cybersecurity experts, it is our job to conduct regular vulnerability assessments on the system and identify any potential weaknesses. Since the system is exposed to an external connection, it leaves the system open to any new cybersecurity threats. The hospital or health care environment should have cybersecurity monitoring tools consistently scanning all systems and identifying any known vulnerabilities. By identifying and evaluating potential weaknesses, you will be able to proactively address any security gaps before they become a larger issue.
As the health care industry continues to embrace the advancement in medical technology, it also increases the need for vendor security. Hospitals and cybersecurity experts need to be proactive in their approach to assess, monitor and enforce security measures with vendors. By evaluating and conducting risk assessments, developing strong partner agreements and monitoring vulnerabilities, hospitals can ensure vendor support can be implemented without compromising patient data or security.
