[BreachExchange] Cyber attack vector du jour – Third party digital ecosystem

[Inga Goddijn]

http://www.beckershospitalreview.com/healthcare-information-technology/cyber-attack-vector-du-jour-third-party-digital-ecosystem.html

The data breach at CHI Franciscan Hospital
<http://www.beckershospitalreview.com/healthcare-information-technology/vendor-error-leaves-18k-chi-franciscan-hospital-patients-information-available-online.html>
in September is a recent example of what has been a troubling increase in
cyber-attacks on the healthcare industry – entry through a trusted third
party.

The common attack vector between this breach and many others,
including the Mass.
General Hospital breach in June
<https://www.bostonglobe.com/business/2016/06/29/data-breach-mass-general-involves-dental-patients/bnzo96XScLKQC8Wt2Wk7eO/story.html>,
is a healthcare provider's third party, or "business associate," as defined
by the Department of Health and Human Services. Breaches via a third party
are a rapidly growing technique of bad actors looking to circumvent
security controls put in place by sophisticated security teams. It's less
taxing on bad actors to simply breach a third party with weak controls and
enter secure networks via a trusted connection.

Third party breaches continue to occur despite changes made over three
years ago to extend HIPAA Privacy and Security Rules for protection and
control of personal health information to business associates of covered
entities that receive protected health information, such as contractors and
subcontractors. In a recent Deloitte survey of 170 organizations
<http://www2.deloitte.com/ye/en/pages/risk/articles/third-party-governance-and-risk-management.html>,
87 percent of the respondents said they have faced a disruptive third-party
incident in the last two to three years. To complicate the issue even more,
E&Y cited that almost half of firms in their study still use spreadsheets
to track third party issues.

While the growing number of third-party related breaches points to the
critical need for healthcare providers to establish third-party cyber risk
management programs, it also reveals the magnitude of the challenge for
business associates.

Answering questionnaires from a multitude of upstream business partners is
time consuming and costly. Wouldn't it be easier on everyone if an exchange
existed to prevent the repetitive security questionnaires and on-site
visits? How about performing one security assessment, updating it
frequently and sharing with all upstream business partners?

This article examines those challenges and prescribes strategies both
customers and third parties should take to streamline the assessment
process their customers require.

*Third-party cyber risk management: Four key strategies*

It's imperative that you move from a compliance-focused to risk-based
strategy. Emailing a questionnaire to your third parties and storing them
in your GRC tool is not enough. Without a risk-based process, you will
continue to struggle answering the most important question, "Which of my
third parties pose the most risk to my enterprise today based on the
current threat landscape?"

Here are four key components of a sound strategy and the questions you
should ask yourself to help reduce complexity, costs and risk from your
digital ecosystem of third parties:

1. Identify – Maintain an updated and dynamic inventory of your third
parties: Ensure you have a complete view of your third parties and the
changing nature of 1) your business relationship with each and expansion or
contraction in your relationship, and 2) their business changes –
acquisitions, divestitures and potential breaches.
1.1. How can you work with lines of business to ensure you're being
included in the RFP stage – rather than after the third party contract has
been signed?
1.2. Is the proper contract language being included that provides
assessment rights?
1.3. How are you alerted when your relationship with one of your third
parties changes?

2. Assess – Understand your inherent risk from each third party. As part of
your overall strategy, ensure that you dynamically document inherent risk
from your digital ecosystem.
2.1. What risk do you have from each of your third parties?
2.2. What impact would you incur if they were breached?
2.3. How do you interact with each?
2.4. Do they have access to your customers' data?
2.5. Do you access their systems?
2.6. Do you access a payment portal or any other systems? Do you provide a
critical component in your customer's manufacturing process?

3. Mitigate — Tier your third parties and do proper – and continuous –
security due diligence on each. Different levels of relationships and
access require different levels of due diligence. Trust (i.e.,
self-questionnaire) is not as accurate as verify (a validated assessment).
Understand that point-in-time assessments likely meet regulations, but do
not provide true risk management oversight. Work with your third parties to
remediate critical issues in a timely fashion.
3.1. Which of your third parties require a fully validated evidence of
controls assessment?
3.2. Which only require self-questionnaires?
3.3. How are you prioritizing which of your third parties need the most
attention based on the latest attack vectors?
3.4. Which need no assessment at all?
3.5. How often are you updating your assessments?
3.6. Are you seeing an inside/out and outside/in view of their security
posture?
3.7. Do you have outstanding remediation issues from your third parties?

4. Monitor and Collaborate – Your third-party portfolio must be
continuously monitored for state changes. Collaborate with your third
parties to improve their security posture and lower your risk. Use
analytics to monitor new threats that exploit weaknesses in your third
parties' controls. Communicate effectively with your third-party portfolio
to understand your exposure to recent threats.
4.1. What type of analytics are you running against your third party
assessments?
4.2. How do you know which of your third parties pose the most risk to your
organization?
4.3. Are you correlating threat intelligence with weak controls in your
third party portfolio?

*Third Parties – Streamlining the Response Process*

Fueled by rapidly changing regulatory and threat landscapes, the swift
evolution of third-party cyber risk management has caused third parties to
feel under siege. For instance, most vendor pain points emanate from three
attributes that have come to define today's risk management strategies:
complexity, cost and compliance vs. risk management.

1. Remove Complexity —

Problem: Organizations use different data gathering questionnaires and
assessment methodologies - often customized to meet their unique needs.
Third parties are being asked to complete many different flavors of
assessments – some self-attestation, others on-site assessments.

Solution: Reduce complexity by proactively building into contracts with
your up-stream partners the ability to proactively provide them a
standardized assessment on a quarterly basis. Be assessed once, share with
many.

2. Reduce Costs —

Problem: It's expensive and time consuming to complete a multitude of
questionnaires – all asking basically the same questions – many times in a
calendar year.

Solution: Reduce costs by providing up-stream partners a comprehensive and
up-to-date assessment at defined intervals. Proactively ensure them that
you're not susceptible to newly released cyberattacks. Use your excellent
security posture as a business enabler to win business and increase revenue.

3. Mitigate Risk –

Problem: The majority of third-party cyber risk assessment requests are
geared toward compliance, as opposed to taking risk-based approaches to
identify and mitigate real issues based on actual threats and
countermeasures.

Solution: Follow security best practices by asking "what threats am I
exposed to? How do I need to mitigate against that? And what's the next
thing I need to be worried about?" That context is key to adopting a
risk-based vs. compliance-based approach to addressing cyber risk exposure.

Having safeguards and a strategy in place specific to third-party cyber
risk management have never been more crucial to mitigating risk from your
digital ecosystem. As reported by the Ponemon Institute, nearly 75 percent
of IT executives surveyed agree that third-party risk is serious, while 21
percent of respondents said the risk is significantly increasing.

To understand and implement a successful third-party cyber risk management
strategy, companies must fully understand the risks a third party poses to
them based on the nature of their relationship; understand the controls
that a third party has in place to mitigate risk; collaborate with the
third party to achieve an acceptable risk posture; and continuously monitor
the security posture of the third party over time. Only then does an
organization have visibility into their entire risk portfolio that business
associates present.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161109/3238bee1/attachment.html>