Cyber-based attacks pose a serious risk to organizations. Historically, business decisions were measured in dollars and cents. Now, they must account for risk and “potential” impact if a cybersecurity breach happens. Aon Risk Solutions conducted a survey in 2015 that indicated “Damage to Reputation/Brand” was the top global risk among companies. The threat is real, and the consequences can be devastating.
Organizations are responding by investing significantly in cybersecurity initiatives and raising the profile of the Chief Information Security Officer. Improving the internal cybersecurity maturity level is a great – and necessary – first step. For many organizations, the bigger picture is becoming clearer: vulnerabilities of third-parties can render the internal cybersecurity investment meaningless. Understanding the risk posture of business partners is an equally, if not more, important element of the cybersecurity effort.
To that end, organizations are beginning to expand their cybersecurity purview to include subcontractors and suppliers who provide “direct” goods and services that contribute to the organization’s operations. That’s a great start, but the net must be cast wider to include “indirect” service providers, like healthcare companies. Think a healthcare insurer’s poor security hygiene doesn’t matter? Think again.
In 2015, Anthem, the second largest health insurer in the U.S., suffered a data breach that compromised the Personally Identifiable Information (PII) of 80 million individuals. U.S. healthcare provider Primera exposed the PII of 11 million people. And Community Health Services, which operates over 200 hospitals across the U.S., allowed the PII of 4.5 million patients to fall into the wrong hands. When employees’ health information is compromised, it puts them in danger of identity theft, reduces their productivity as they deal with the fallout, and exposes the organization by making them susceptible to cyber blackmail. To that end, a Massachusetts judge recently ruled to allow a class-action lawsuit stemming from a health data breach to proceed despite a lack of evidence of harm.
Companies need comprehensive, accurate insight into the cybersecurity maturity levels of all of their current and potential partners. Business relationships with those that don’t meet a minimum threshold must be reconsidered. No partner, including healthcare payers and providers, should be immune to this level of scrutiny, given the ever-evolving cybersecurity threat and what’s at stake for an organization and its employees.