60% of Healthcare Orgs Say Third-Party Risk Management Needs Improvement

April 20, 2022 - An overwhelming majority of surveyed healthcare organizations said that their third-party risk management and compliance strategies were due for some improvements, a survey conducted by Kiteworks found.

Researchers surveyed executives from multiple industries responsible for secure third-party content communications for their organizations. About 20 percent of the respondents came from healthcare organizations.

The survey results told a story of widespread unpreparedness for third-party security and compliance risks despite the growing frequency of cyberattacks against third-party vendors. The SolarWinds attack in 2020 impacted fewer than 100 organizations but highlighted the need for increased software supply chain security.

“Nearly two-thirds of respondents share content with more than 1,000 external organizations, and all do so with at least five communications channels,” the report stated.

“Two-thirds use more than four separate systems to track, control, and secure content communications. And dealing with encryption issues consumes dozens or hundreds of hours of staff time per month.”

In addition to inefficiencies, security gaps in content communications systems posed significant risks for most surveyed organizations. The majority of organizations reported using email, file sharing, web forms, and APIs to communicate content. Most of those communication methods are managed by third parties.

About 47 percent of healthcare respondents said that 100 percent of their sensitive content email communications with third parties were encrypted. An additional 36 percent of respondents said that most of their sensitive email content was encrypted.

Many recent healthcare data breaches were attributed to email security incidents. Threat actors may use phishing to hack into networks or steal the sensitive data contained in email accounts, including protected health information (PHI) in some cases.

In addition, more than a quarter of the total respondents pointed to insider threats (including well-meaning employees falling victim to a phishing attack) as their number one security concern surrounding content communication systems.

External threats, such as ransomware, DDoS attacks, and malware were also top concerns. As organizations increasingly rely on third-party vendors for critical functions, security is becoming even more crucial.

“Organizations share content with hundreds or thousands of third parties using multiple transmission methods. Security checks are inconsistent for both inbound and outbound content, and encryption is inconsistently applied,” the report noted.

“Too often, the communication of content is siloed according to the method of sharing, the type of content, or the department that sends or receives the content. Security and compliance solutions are frequently siloed in similar ways. And monitoring of when and by whom sensitive content is accessed is spotty or nonexistent at most organizations—again, partly due to the silos that exist.”

As the threat landscape evolves, organizations should prioritize third-party risk management and implement holistic security controls to protect all endpoints.