HCOs lag behind in third-party security controls

Healthcare organizations are falling behind other sectors in protecting against third-party security risks, according to a new study by Imprivata. The research highlights concerning gaps in healthcare’s approach to managing vendor access and privileged user controls, even as cyber threats continue to escalate.

Critical gaps in healthcare security

Several trends emerged specific to healthcare organizations:

• Only 34% of healthcare organizations experienced “highly effective” VPAM (Vendor Privileged Access Management) implementations, significantly lower than financial services (62%) and industrial sectors (53%)
• 64% of healthcare providers cited lack of resources as a primary barrier to third-party risk reduction, compared to 48% in other sectors
• Healthcare showed the highest rate (37%) of “somewhat familiar” responses regarding privileged access management, indicating potential knowledge gaps in security leadership
• Only 43% of healthcare organizations evaluate third-party security practices before granting access to sensitive data, compared to 45% in financial services and 46% in industrial sectors

Compliance and regulatory implications

The study highlights particular challenges for healthcare organizations in meeting regulatory requirements. A striking 61% of public sector and healthcare organizations cited “complexity of compliance and regulatory requirements” as a significant barrier, compared to just 35% in financial services.

Compared to other industries, healthcare organizations appear more constrained by resource limitations:

• 48% reported lacking internal resources to verify third-party security
• Only 39% have a comprehensive inventory of privileged users, compared to 52% in financial services
• 66% rely on removing access credentials as a primary security control, suggesting reactive rather than proactive security approaches

Recommendations for Healthcare Security Leaders

1. Prioritize Automated Monitoring: With only 47% of healthcare organizations automating third-party monitoring, implementing automated solutions could help address resource constraints.
2. Strengthen Vendor Evaluation: Implement more rigorous pre-access security evaluations, focusing on the 56% of healthcare organizations currently skipping this critical step.
3. Enhance Training and Awareness: Address the 37% “somewhat familiar” response rate by implementing targeted training programs for security staff managing privileged access. 

Healthcare organizations must address these gaps quickly, particularly given that 42% anticipate increased cyber threats over the next 12-24 months. The sector’s unique combination of regulatory requirements, resource constraints, and sensitive data handling demands a more robust approach to third-party risk management.