In recent years, a wave of high-profile cyber attacks has shaken the healthcare industry to its core. Sensitive data has been breached; essential services have been forced offline; and healthcare providers have found themselves faced with unhappy customers and unsympathetic regulators.
As a result, many in the healthcare industry are now familiar with third-party vendors and the risks they pose. This is a positive development, but it is also insufficient. Because the fact is that any comprehensive understanding of healthcare security needs to factor in fourth-party vendors as well.
Consider this blog post a guide to everything you need to know about fourth-party vendors and the risks they pose. Below, in addition to setting definitions, we’ll outline current risk mitigation models and challenges, and suggest innovative solutions.
Fourth-party risk management: a quick definition
To understand what fourth-party vendors are, let’s start by getting a handle on third-party vendors.
Around fifteen or twenty years ago, healthcare organizations began the long, arduous process of moving from paper to electronic health records. To accommodate these oceans of paperwork, healthcare organizations began enlisting the services of third-party cloud and SaaS companies. And over the last decade or so, as it became commonplace to share large volumes of electronic patient data outside of healthcare entities for research, optimization, debt collection, and more, an unprecedented amount of sensitive patient data began to be hosted on third-party servers.
The serious risks that this presents are well-known. Less discussed are the fourth-party vendors that these third-party vendors work with, and how a breach of one of those can have equally dire effects. The fourth-party vendors used by third-party vendors––like, Adobe, Microsoft, Auth-0, Okta, etc.––are just as vulnerable to being breached, and cyber-criminal gangs and nation-states like Russia have taken serious notice of this. The fact is that a single compromised fourth-party vendor can lead to the compromise of thousands of organizations.
Cyber-criminal syndicates are continually on the lookout for thus-far-unexploited vulnerabilities; if there is an unmonitored opening, you can be sure they will pour right in. This is particularly troubling in the case of fourth-party vendors, as once an organization has been compromised in this way, malicious actors are then free to launch a variety of attacks including ransomware, data theft, extortion and more. Recent examples of this can be seen with the Log4j, SolarWinds, and Microsoft Exchange breaches.
A troubling lack of transparency
Hearteningly, in recent years healthcare organizations have taken a serious interest in data protection, devising VRM programs to help guard against third-party breaches. At the same time, though, very little effort has been made to manage fourth-party risks; it can sometimes feel like they’re not even on the radar.
Making matters worse is the fact that healthcare entities have little to no transparency when it comes to fourth-party vendors. It is often impossible for them to know, when a fourth-party breach occurs, which specific third-party vendors have been affected; accordingly, it’s nearly impossible for them to take proper action. Alarmingly, the third-party vendors themselves often have a limited idea of the extent of their vulnerability, as many fail to maintain accurate inventories of their own supply-chain vendors or products. During a breach event, this can lead to utter chaos, with no party––not the third-party vendor, not the healthcare organization––able to accurately assess and fix the problem.
Innovative solutions to the fourth-party problem
Obviously, this problem isn’t limited to healthcare organizations: any entity that enlists the help of third-party vendors is at risk during a fourth-party breach. Accordingly, the US government has begun to proactively address the problem, with President Biden issuing an executive order on supply chain risk last year in response to the catastrophe of the SolarWinds attack. This executive order and other recent initiatives have gone some way towards remedying the extreme unpreparedness of most industries when it comes to fourth-party breaches.
Key to Biden’s order is something called a Software Bill of Materials, or SBOM. A SBOM is, essentially, an ingredients list for software or hardware: it lists in detail every single third- and fourth-party software component used to deliver a given product or solution, allowing affected entities to act quickly to remedy the situation in the event of a breach.
So a simplified SOBM might look like:
Operating system: Microsoft XP
Java (version x.x)
Apache (version x.x)
Beyond SBOMs, a number of solutions have arisen in recent years to help mitigate the risk of fourth-party breaches. These include leveraging existing assessment data on fourth-party suppliers to identify known exposures; conducting targeted reach-out campaigns to third-party vendors to get a better sense of how they use fourth-party products; and tracking and reporting risk exposure and remediation status to customers.
For healthcare workers just wrapping their heads around third-party breaches, the introduction of an entire new category of risk might seem overwhelming. But it’s important to stress that this isn’t some peripheral risk––it’s not secondary to third-party risk. A fourth-party breach can be just as destructive and cause equally lasting damage. Staying on top of those risks––through SBOMs and the countless mitigation procedures currently coming into wide use––is not simply an option: when it comes to staving off catastrophe and keeping patient data safe, it’s a necessity.
About Brian Selfridge
Brian Selfridge is the Healthcare Cybersecurity & Risk Leader at CORL Technologies, the leading provider of risk management solutions for healthcare.
