Treffer: Third-Party Access Cybersecurity Threats and Precautions: A Survey of Healthcare Delivery Organizations.

Gather insights regarding the state of third-party access cybersecurity in healthcare delivery organizations (HDOs).An online multinational survey was deployed to eligible respondents to assess HDO third-party access, cybersecurity, and challenges.Of 209 respondents, only 51.1% reported having a comprehensive inventory of all third parties accessing their network. Sixty percent stated third-party access to sensitive/confidential information was not routinely monitored, despite 19% having more than 40, and 31% having 21 to 40 third parties with network access. Reasons included lack of resources (48%) and centralized control over third-party relationships (36%), complexity (28%), and frequent third-party turnover (22%). Confidence in third-party ability to secure information and their reputations was cited. More than half (56%) reported a breach involving a third party in the last 12 months, and two-thirds anticipate breaches increasing in the next 12 to 24 months. Most agreed breaches are a cybersecurity priority, a resource drain, and their weakest attack surface. Slight majorities indicated high perceived effectiveness in mitigating, detecting, preventing, and controlling third-party access risks and security/privacy regulatory compliance. Regarding existing solutions, roughly half (55%) ranked the effectiveness of vendor privileged access management (VPAM) and privileged access management (PAM; 49%) at ≤ 6 on a 10-point scale, respectively. Barriers to reducing access risks include lack of oversight/governance (53%) and insufficient resources (45%). Of those monitoring third-party access, 53% do so manually. Breach consequences include loss/theft of sensitive information (60%), regulatory fines (49%), severed relationships with third parties (47%), and loss of revenue (42%) and business partners (38%).HDOs recognize the increasing threat of third-party cyber breaches but are struggling to effectively address them. Lack of budget, expert resources, complexity, and third-party turnover are among the reasons why. Need exists for automated, cost-effective solutions to address the significant risks of third-party access with a consistent strategy that minimizes breach risk by securing remote access to privileged assets, accounts, and data.
(The Author(s). This is an open access article published by Thieme under the terms of the Creative Commons Attribution License, permitting unrestricted use, distribution, and reproduction so long as the original work is properly cited. (https://creativecommons.org/licenses/by/4.0/).)

G.A.G. and G.L.G. are medical advisors to Imprivata, and D.B., R.P., and S.P.K. are employees of Imprivata.