Digital Debut

Prepare for Third-Party Cybersecurity Incidents

What to do if your technology vendor partner gets hacked

BY ROBERT KURTZ | MARCH 1, 2024

Last week, a cyberattack on UnitedHealth Group paralyzed subsidiary Change Healthcare, part of Optum. This caused billing disruptions at different healthcare entities including at ASCs. As of February 29, Change Healthcare’s website remains nonfunctional.

What can an ASC do when its vendor is hacked?

Better Preparation, Better Response

Due to the risks associated with a breach of a technology vendor partner, surgery centers must be prepared to respond effectively. "Taking a proactive approach is the key to success when it comes to any disaster, including a third-party cybersecurity incident," says Rick Passero, chief information security officer for Anatomy IT in White Plains, New York. "If you are waiting until the event happens to start thinking about what you need to, you will already be in bad shape."

Preparation should entail developing a detailed incident response plan, says Richard Lang, information security officer for HST Pathways in Nashville, Tennessee. "This plan should clearly spell out exactly what the ASC will do if they learn a vendor is hacked."

Vendors have different access to an ASC's data and could be storing sensitive information. Understanding what data vendors can access—whether it be clinical, financial, operational or a combination—is key to developing an effective response plan, Lang says. "You need to identify all of your vendors. I recommend reviewing your accounting records. That will show who you are paying for technology and help you put together a comprehensive list of vendors. Then you can better determine how your ASC may be affected by a successful hack of any of them."

Identifying and evaluating all your surgery center’s vendors can help you secure appropriate cyber insurance. "Cyber insurance has grown in importance over the years," says Douglas Stickler, director of information technology for Monterey Peninsula Surgery Center in Monterey, California. "Insurance vendors are becoming smarter and wiser in their evaluations of us. We have a regular process of going over our existing systems and safeguards with our insurance provider, which helps keep our preparations current."

An effective response also will be predicated on how well you have established communication channels, both internal and external. For internal communications, determine who on your team should be involved if a vendor is hacked, Stickler says. "In our organization, we have a senior management team that is brought into any emergency situation. They would then execute our incident response."

Different team members might have to be involved in your response depending on the technology system affected, Lang says. "Make sure that there is clear understanding amongst all parties about their responsibilities. Time may be of the essence, especially if a breach occurs when you are providing patient care. You need an efficient response that will allow you to avoid disruptions that could put patient safety at risk."

For external communications, Passero says it is important for your vendors to know who on your team they should contact and vice versa. "You want prompt reporting and collaboration if there is a cybersecurity incident. If your vendor is made aware of the incident early, you do not want them to be scrambling to figure out how to get a hold of the right people at your ASC to take prompt action. You also will want to know who at the vendor to contact if you detect something unusual in their technology."

Execute Your Plan

When you learn a vendor is hacked, execute your incident response plan, which should include early outreach to your cyber insurance carrier, Passero advises. Following the carrier's requirements for responding to an incident will help ensure your efforts are covered by your insurance policy.

In addition to cybersecurity expertise, you might need specialized legal and public relations help, Passero says. "Since you will not have visibility into the point of origination for the hack or the ability to perform a root-cause analysis, early efforts to contain the breach can be hampered. Be prepared to rely more heavily on your legal team and the protections that should be included in your contract with the affected vendor."

Working with your team of experts and the affected vendor, you will need to determine the fallout from the breach. "How bad it is and what it has likely affected will dictate much of the work that follows," Stickler says. "For example, if protected health information was compromised, you will likely need to report to federal and state regulatory agencies and inform those affected patients."

Undergo an assessment of your technology systems and infrastructure. "This assessment is a highly technical endeavor that needs to be performed by qualified experts," Stickler says. "The affected vendor should be performing an assessment of their own and informing you frequently and clearly about what their forensics are finding so you can follow through on any reporting obligations."

Early response efforts also should focus on containing the hack, Lang advises. "You do not want the breach propagating to other technology systems and having a much larger impact than necessary. Preventing this spread requires you to understand how your systems are segmented and isolating compromised systems."

Engage in ongoing discussions with the affected vendor about how the hack is affecting its operations. "The vendor may need some time to recover, and they should be transparent about exactly how long that will take," Lang says. "An ASC will need to determine how it can safely operate during the timeframe." Conversations with the vendor should also cover what the company is doing to contain the breach and how it plans to prevent future incidents, Passero says.

If you experience a third-party cybersecurity incident, use it as an education and improvement opportunity, Stickler advises. Perform a post-incident analysis to highlight what you were required to do, anything you missed or learned from the experience, and what you can do to better protect yourself from the continuously evolving threats in the future. "Healthcare data has proven to be highly valuable to bad actors, so that can make us and our vendors very appealing targets," Stickler says. "When a breach happens, you need to be ready.”

A good incident response plan will help ensure you do not miss any key steps, Passero says. "You should be able to assess the impact of the breach, contain it, investigate it and recover from it."