Identifying and Evaluating Vendor Risks with the Help of HIC-SCRiM
Traditionally, when healthcare professionals discussed supply chains, it generally referred to outside vendors who provided equipment and products to facilitate the delivery of care.
While that remains true today, third-party suppliers now extend beyond those traditional vendor types into digital service delivery for a variety of organizational systems, processes, and applications.
This growing dependency on outside vendors brings inherent and often-overlooked cyber risks, especially those organizations within the healthcare industry that are tasked with protecting personally identifiable information (PII) and protected health information (PHI).
Kwampirs and Vendors Risks
Third-party cybersecurity standards have always been important, but as risks increase, so does awareness about the need for stronger vendor security measures.
Earlier this year, the Federal Bureau of Investigation (FBI) issued a security alert about increased hacking attempts targeting technology suppliers, especially those in healthcare.
Attackers are targeting these vendors with a form of malware known as Kwampirs, a remote access trojan.
Kwampirs first made headlines back in 2018 when Symantec discovered an attack group used it to target healthcare and related industries.
Symantec indicated two years ago these attackers weren’t randomly selecting targets, but instead were carefully choosing them and then investing time in planning before launching an attack.
At that time, almost 40% of the targets were in healthcare, including machines used for X-Rays and MRIs.
Kwampirs is considered an advanced persistent threat (APT) and continues to infect networks.
According to a report in the HIPAA Journal, the Kwampirs attack is two-phased.
First, the remote access trojan gives attackers “broad and persistent” access to hospital and healthcare networks, which allows them to deliver additional malware within those networks.
In phase two, attackers add additional modules through remote access to go deeper into those networks. These modules can change based on the intended target, but the goals remain the same—cyber espionage.
The FBI says that once infected, attackers can use the remote access trojan to perform daily commands and control communications with malicious IP addresses and domains that are hard-coded in Kwampirs malware.
Once an attack is successful, hackers use lateral movements to move between the infected network and related entities that share resources and software development processes.
For example, if a third-party vendor has a device that’s infected and then installs that device on an enterprise LAN or within a cloud infrastructure, the malware can easily pass into the healthcare organization’s network.
Attacks range from localized device infections to widespread infections throughout an enterprise, with many targets accessed through vendor software and hardware products.
Unfortunately, many of these exploitations remain undetected for long periods of time. Some of the attacks can go undetected for three months, with some of the most persistent ones lasting up to three years.
Third-Party Risk Mitigation
Kwampirs is just one example of cyber risks healthcare organizations face through vendor relationships.
As movement to cloud-based operations continues to gain traction in the industry, the more likely these risks will expand and increase the chances for successful breaches.
While the Health Insurance Portability and Accountability Act (HIPAA) provides data protection standards, enforceable by penalties, many organizations still overlook risks introduced by third-party vendors.
Or, in some cases, those vendors aren’t treated with the same due diligence and processes enacted internally.
So how do you protect your organization from vendor risks?
To assist healthcare organizations in better understanding how to address third-party risks, the Healthcare and Public Health Sector Coordinating Council (HSCC) developed a toolkit, “Health Industry Cybersecurity Supplier Risk Management (HIC-SCRiM)” to guide security protocols for vendors.
As part of a robust cybersecurity program for your healthcare organization, these practices can help build trust between your organization and your suppliers, and ensure that second- and third-tier vendors treat your data with the same sensitivity and data security protocols as your organization.
End-to-End Risk Management
HIC-SCRiM aligns with supply chain components of the NIST Cybersecurity Framework. Through HIC-SCRiM, your organization can create a Vendor Risk Management program with:
- Core components including procedures, policies, roles, responsibilities, and governance procedures
- Creation and maintenance plans, including an inventory of your vendors, risk assessments for each, and how you’ll deal with those risks
- Resources to support your program throughout the lifecycle of each vendor’s contract
Your Vendor Risk Management program should begin with well-defined policies, roles, and responsibilities. This should also include the purpose of your program, its scope, policy requirements and effective dates, along with details about how you’ll manage program exceptions and how processes and policies are approved.
Like other cybersecurity initiatives, you may find your program is more effective and successful if you have an executive sponsor who owns and maintains the program and guides it toward maturity over time.
Once you’ve outlined your program, it’s time to identify all of your vendors and create a comprehensive vendor inventory.
Remember, you may have long-term, existing vendors that are core to your operations, but who do not fall under your current contract processes. Those are easy to miss in your inventory.
Make your inventory as comprehensive as possible, including existing vendors that may have been grandfathered into your operations over time.
After identifying who your vendors are, determine how critical each vendor is for your operations. Begin with the most critical vendors first, and then work your way through others.
Here are a few key areas for consideration that can help you prioritize how critical a vendor may be to your operations:
- Conduct a spend analysis to determine which suppliers are strategic and which ones are transactional, including the types of provided services and contract duration.
- Determine if you have related business associate agreements (BAAs) and accounts for the types of protected/sensitive information each vendor has access to, taking into consideration not just the volume of data each vendor can access but how sensitive each record may be.
- Assess whether the vendor relationship could put any of your patients at risk, including what would happen if your products or services aren’t available.
- Analyze the vendor’s impact on your revenue. For example, if you have an enterprise resource planning system or accounts payable application, what would happen if it went down? How would it affect your opportunities to generate revenue?
- Review operational impact and business criticality for each vendor. What impact does each vendor have on your day-to-day operations?
- Evaluate regulatory impacts for all of your compliance requirements.
- Consider reputational impact of each vendor. For example, what would the impact be if your website didn’t function or your scheduling program was inaccessible?
Rank Vendors Based on Risk
Next, identify risks associated with each vendor and prioritize those risks as they relate to your organization’s goals, objectives, and overall business impact. You can create your own ranking or tiering system. Some organizations tier their vendors by high, medium, and low risk, while others prefer a numbered model.
HIC-SCRiM suggests reviewing these risk types:
- Operational risks
- Safety risks for employees, patients, contractors, etc.
- Competitive risks, for example, trade secrets, go-to-market strategies, and intellectual property
- Quality risks for products and product service integrity (also including re-use, resale or sabotage)
- Reputational risk
- Compliance risk
- Secondary risks including your broader supply chain
- Geopolitical risks
Assess and Respond to Risks
After prioritizing risks, it’s time to complete a risk assessment for every vendor. You should do a vendor risk assessment before completing a new contract and for renewals, but also periodically throughout your contract terms, at a minimum once each year.
Vendor risk assessments are not a trivial endeavor. They require you to capture and evaluate a lot of data. Here are some questions you may want to ask:
- Does the vendor have a cybersecurity program?
- Can the vendor answer related questions about its cybersecurity program?
- Can the vendor demonstrate its program exists and works effectively?
- Is the vendor compliant with HIPAA (and other) security regulations, including applicable privacy and breach notification requirements?
You can use a risk assessment to determine how well your vendor meets cybersecurity protocols outlined in your contract agreement, BAA, or service-level agreement (SLA).
Once you know vendor risk, what are you going to do about it?
- Accept and Mitigate: If you choose to accept the risk, are there additional controls you can implement that will limit the impact of that risk? If you choose to accept the risk and mitigate it, work with your vendor to facilitate rapid remediation and adopt appropriate security controls. Make sure to document the risks you’ve uncovered, outline your expected response and decisions made, and specify what steps the vendor must take to mitigate those risks and a timeline for resolution. Your assessments may also reveal your contract terms need adjustments.
- Transfer: If you choose to transfer some of that risk, what are the costs associated with that risk, for example, the cost of liability insurance and anticipated coverage?
- Avoid: Instead of accepting the risk, you can eliminate it altogether by choosing to work with a different vendor who doesn’t have the same level of risks. Your executive sponsor should take the lead role in determining if an identified risk is acceptable to your organization. If the risk is greater than what your organization deems tolerable, you may have to end the contract to protect your data and avoid being penalized for a breach or other security issues. In some cases, you may need additional legal counsel before making a decision.
If your executive sponsor decides to terminate your existing vendor relationship because of risk aversion, begin the process right away to select an alternative supplier. Be sure the new procurement process includes your vendor risk assessment protocols.
Effective cybersecurity processes aren’t just “set-and-forget.” To be effective, you should conduct ongoing monitoring and routine assessments of all your vendors with tracking and reporting.
You may find a healthcare-focused cyber risk management platform helpful in this process. The software can help you find weaknesses with your vendors’ cybersecurity processes and manage remediation, while constantly evaluating your current compliance and identifying gaps.
Looking for more insight on vendor risk management? Contact a Clearwater advisor at firstname.lastname@example.org or you can find a more detailed look at HIC-SCRiM at healthsectorcouncil.org/hic-scrim.