According to HealthcareInfoSecurity, the United Kingdom urgent health care helpline, National Health Service (NHS) 111, experienced multiple days of degraded service following a cyberattack against a key service provider. Privacy, cybersecurity and data strategy counsel Jason G. Weiss discussed lessons this situation offers to health care entities and their vendors.
“It is critical that an organization ensure that vendors that have network access or connectivity ensure that they have proper cyber hygiene protections in place,” said Weiss. He also emphasized that it is critical to audit and ensure that the protections a vendor claims to have in place are verifiable and subject to testing to ensure the controls work appropriately.
“One option is to require IT vendors to have established and proven cybersecurity frameworks in place such as ISO 27001, zero trust architecture or the National Institute of Standards and Technology’s Cybersecurity Framework, just to name a few options,” explained Weiss.
Weiss noted that threats, such as ransomware as a service, that are available to cyberthreat actors have greatly expanded the scope of potential threats that health care sector entities and their vendors face. “These types of criminal cyberthreat…put more pressure on the health care sector entities to ensure that their networks and cyber defenses are as strong as possible,” he added.