www.wsj.com
Open in
urlscan Pro
2600:9000:21f3:ee00:3:4b0:de80:93a1
Public Scan
URL:
https://www.wsj.com/articles/healthcare-organizations-take-aim-at-third-party-cyber-risk-4d51174c?mod=Searchresults_...
Submission: On August 04 via api from US — Scanned from DE
Submission: On August 04 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
<form autocomplete="off">
<div id="scrim-from-wrap" class="input-wrap">
<label for="scrim-from">From</label>
<textarea id="scrim-from" readonly="readonly" disabled="disabled" type="text" autocomplete="off" autocorrect="off" autocapitalize="none"></textarea>
</div>
<div id="scrim-to-wrap" class="input-wrap">
<label for="scrim-to">To</label>
<input id="scrim-to" type="text" autocomplete="off" autocorrect="off" autocapitalize="none">
</div>
<div class="input-wrap">
<label for="scrim-message">Message</label>
<textarea id="scrim-message" class="msg" maxlength="500" type="text" autocomplete="off" autocorrect="off" autocapitalize="none"></textarea>
</div>
</form>Text Content
WSJ.COMBANKRUPTCYCENTRAL BANKINGCYBERSECURITYPRIVATE EQUITYSUSTAINABLE BUSINESSVENTURE CAPITAL SubscribeSign In Search * Home * News * Research * Board Pack * Newsletters * Events SubscribeSign In Search * Home * News * Research * Board Pack * Newsletters * Events This copy is for your personal, non-commercial use only. To order presentation-ready copies for distribution to your colleagues, clients or customers visit https://www.djreprints.com. https://www.wsj.com/articles/healthcare-organizations-take-aim-at-third-party-cyber-risk-4d51174c Share * Facebook * Twitter * LinkedIn * WSJ PRO HEALTHCARE ORGANIZATIONS TAKE AIM AT THIRD-PARTY CYBER RISK HOSPITAL OPERATORS COLLABORATE ON STANDARD APPROACH FOR MEASURING SUPPLIERS’ CYBER DEFENSES THIRD-PARTY BREACHES, SUCH AS SUPPLY-CHAIN ATTACKS AND DIRECT COMPROMISES THROUGH VENDORS, ARE EXPENSIVE FOR HOSPITALS. Photo: Smith Collection/Gado/Getty Images By James Rundle July 27, 2023 7:00 am ET | WSJ Pro Print Text Your browser does not support the audio tag. Listen to article Length 4 minutes 00:00 / 04:17 1x This feature is powered by text-to-speech technology. Want to see it on more articles? Give your feedback below or email audiofeedback@wsj.com. thumb-stroke-mediumthumb-stroke-medium Hospital operators are taking a hard line on how their vendors and suppliers secure their systems, amid a string of third-party cyber incidents that have caused data breaches and lawsuits at healthcare providers. The Health 3rd Party Trust Initiative, an industry group comprising major healthcare providers, on Thursday published best practices for assessing the cybersecurity of suppliers, such as enforcing clarity about service expectations, specific questions to ask vendors and blueprints for resolving security issues. “My board is quite engaged on this, they see this as being a significant risk that needs to be addressed and so it’s something that really is, frankly, my highest priority,” said John Houston, vice president of information security and privacy, and associate counsel at the University of Pittsburgh Medical Center. The guide goes into detail in areas such as data handling practices and sample language for use in contracts with suppliers. Other areas include recommendations on the frequency of supplier reviews, and metrics for reporting vendor risks across an organization. Created with Highcharts 9.0.1Comeback CostsHealthcare companies spend more to recover from a cyberattack than companies in other industries.Average recovery cost in 2023Source: IBM analysis of 553 cyber incidents in 16 countries Created with Highcharts 9.0.1HealthcareFinancialPharmaceuticalsEnergyIndustrialTransportationEntertainmentHospitalityRetail$0 million$10$5$15 Third-party breaches, such as supply-chain attacks and direct compromises through vendors, are expensive for hospitals. Research published by International Business Machines this week found the average cost of a data breach in the healthcare industry reached $10.9 million in 2023, a figure higher than for any other sector IBM analyzed. Recent breaches traced to the hack of Progress Software’s MoveIt product have also involved health systems, including Johns Hopkins All Children’s Hospital and the University of Texas Southwestern Medical Center, and government departments including the U.S. Department of Health and Human Services. Expensive class-action lawsuits often follow, which can cost millions of dollars, even if a hospital’s systems were never breached. Despite the string of attacks, healthcare providers are more vulnerable than ever to hackers, thanks in part to shifts to the cloud that rapidly accelerated during the coronavirus pandemic, and the expanding use of internet-connected devices in clinical settings. The risk has grown so great that some hospitals have even developed specific emergency codes ordering the shutdown of devices in the event of an incursion by hackers. Hospitals are having a hard time coping with the oversight that their suppliers require even as they become ever-more reliant on them, said Shenny Sheth, deputy chief information security officer at Centura Health, who said he has three or four cybersecurity staff working full-time on assurance programs with hundreds of suppliers. Complaints about the length of time it takes to get information from suppliers aren’t uncommon, said UPMC’s Houston. -------------------------------------------------------------------------------- NEWSLETTER SIGN-UP WSJ Pro CYBERSECURITY Cybersecurity news, analysis and insights from WSJ's global team of reporters and editors. PREVIEW SUBSCRIBE -------------------------------------------------------------------------------- “I now have to rely upon a lot of other third parties to secure my data. It’s just not one, it’s not 10, it’s not 20, it’s hundreds,” Houston said. “They often want to act like and function like a black box, meaning it’s very difficult to get really good concrete, detailed information about those third parties’ security programs.” At the same time, security executives say, suppliers are swamped with questionnaires and assurance requests from their clients. Producing a comprehensive and standardized set of best practices will help both parties, said Omar Sangurima, principal technical program manager at Memorial Sloan Kettering Cancer Center. “At the very least we can all say, ‘OK, this is table stakes, this is what you need to do business in this area,’” he said. Sangurima said the best practices developed by the group are designed to work for healthcare providers of all sizes, not just companies that operate dozens of hospitals across states. He said he hopes projects such as this, along with industry standards that govern data privacy, can enable smaller healthcare organizations to implement mature security programs. “You don’t have to sit there and reinvent the wheel yourself as a smaller organization. You can grab it, it’s ready-made, and it’s cogent,” he said. Write to James Rundle at james.rundle@wsj.com Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8 MUST READS FROM CYBERSECURITY * EU ADVANCES ITS DATA-FLOW DEAL AFTER U.S. MAKES SURVEILLANCE CHANGES * EUROPEAN ELECTRICITY SECTOR LACKS CYBER EXPERTS AS UKRAINE WAR RAISES HACKING RISKS * RECONCILING INTERNATIONAL BREACH REPORTING RULES COULD PROVE CHALLENGING * HEIGHTENED CYBER THREAT BRINGS CIOS, CISOS CLOSER * NEURODIVERSE CANDIDATES FIND NICHE IN REMOTE CYBERSECURITY JOBS Close HOSPITAL OPERATORS HAVE COLLABORATED ON AN EXTENSIVE LIST OF BEST PRACTICES FOR THIRD-PARTY CYBERSECURITY RISK MANAGEMENT, WHICH SOME SECURITY CHIEFS SAY IS THEIR TOP PRIORITY. Hospital operators collaborate on standard approach for measuring suppliers’ cyber defenses From To Message SEND An error has occurred, please try again later. Thank you This article has been sent to BACK TO TOP Professional Resources WSJ ConferencesFactivaRisk & Compliance JournalDow Jones Risk & ComplianceDow Jones NewswiresCFO JournalCIO JournalCMO TodayLogistics Report FacebookTwitterPodcasts Send us your feedback:pronewsletter@dowjones.com Privacy NoticeCookie NoticeManage CookiesDo Not Sell My Personal InformationCopyright PolicyData PolicySubscriber Agreement & Terms of Use 2023 Dow Jones & Company, Inc.All Rights Reserved Copyright 2023 Dow Jones & Company, Inc. All Rights Reserved This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-0008 or visit www.djreprints.com.