Healthcare Third-Party Risk Management Newsletter
Welcome
Welcome to The Pulse of TPRM, Shared Assessments ' newsletter for the third-party risk management community in the healthcare sector. As a leading trade organization, we are committed to bringing you insights, updates, and resources that are vital for navigating the complexities of risk management in healthcare. This newsletter aims to foster a community of shared knowledge, best practices, and innovative solutions tailored specifically for professionals like you, who are at the forefront of safeguarding healthcare organizations against diverse risks. Join us in this journey towards excellence in third-party risk management.
In The News
3 Takeaways from Change Healthcare Testimony
Andrew Witty, CEO of UnitedHealth Group, recently testified before two Congressional hearings on the Change Healthcare Cyberattack. Here are three takeaways from Witty’s testimonies:
1.??The attack occurred because multifactor authentication wasn’t used
Mr. Witty: On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multi-factor authentication. We're continuing to investigate as to exactly why MFA was not on that particular service. It clearly was not. I can tell you I'm as frustrated as you are about having discovered that and as we've gone back and figured out how this situation occurred.?
Mr. Witty also noted that a policy requiring MFA was in place prior to the attack. This underscores the need to verify the existence (and effectiveness) of MFA through penetration tests and other means – actions that Mr. Witty indicates are now being performed.?
2.?Legacy technology inherited through the acquisition contributed to the problem
Mr. Witty: Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition.
Refer to the Shared Assessments resources Mergers and Acquisitions Risk and Cyber Security Points and Using TPRM Best Practices to Improve M&A Outcomes for insight on how to identify and manage risks associated with mergers and acquisitions.
3.??UnitedHealth has strengthened the cybersecurity expertise of its board
Mr. Witty: [Mandiant has] been extremely helpful in understanding this attack, and they have become a board advisor to ensure that we have the very best advice at the top of the company.
Refer to the Shared Assessments resource 5 Ways to Strengthen Board’s Relationship with Cybersecurity to learn about the importance and benefits of a cyber-savvy board.
MediSecure Cyber Incident Linked to Third-Party
MediSecure, a former Australian national prescription delivery service provider, recently reported the compromise of personal and limited health information of individuals relating to prescriptions, as well as healthcare provider information. MediSecure suggests the incident originated from one of its third-party vendors and confirmed the compromised data has been made available for sale on the dark web. The threat actor selling the information allegedly stolen from MediSecure claims to have 6.5 terabytes of stolen files containing prescription and login information and is selling the information for $50,000.
"Incidents like the MediSecure breach remind us of the critical need for robust cybersecurity measures within the healthcare sector."
Javvad Malik, Lead Security Awareness Advocate, KnowBe4 [Read More]
"The incident serves as a stern reminder for Australian organizations to scrutinize their vendors and other third parties closely. Supply chain attacks often infiltrate organizations through the weakest link."
Sumit Bansal, Vice President, BlueVoyant [Read More]
Managing third-party security risks is resource-intensive but essential, as robust internal controls can be rendered useless if third-party vulnerabilities are exploited.
Mark Jones, Senior Partner, Tesserent | Cyber Solutions by Thales [Read More]
Refer to the Shared Assessments Third-Party Focused Ransomware Strategy for best practices and additional ransomware resources.
Are Cyber Teams Intentionally Not Reporting Incidents?
In a recent VikingCloud survey of cybersecurity professionals at companies in the United States, United Kingdom, and Ireland, 40% of respondents indicated cyber teams have intentionally not reported cyber incidents because they were worried about losing their jobs. The survey also found that only 17% have taken steps in the past 12 months to better secure their critical supply chain and 46% of healthcare organizations report being unprepared for DNS-related attacks.
Refer to this Cloudflare article to learn more about DNS-related attacks.
Free Support to Healthcare Startups Leveraging AI
Google recently announced the 24 startups selected for its Growth Academy: AI for Health program. The program provides free support to companies from Europe, the Middle East, and Africa that are leveraging AI to address health or wellbeing challenges.
Participating startups include:
These are examples of how AI, in the words of Naqi Khan, Physician Executive at AWS, “is having a substantial impact in the lives of patients and clinicians”, but they are also a reminder of our reliance upon third party AI and the importance of AI governance. Look for additional Shared Assessments AI governance resources to be released in the coming months and for continued discussions in the Shared Assessments Healthcare and AI & Emerging Technology committees.????
Upcoming Events - Summer 2024
?? Live Product Demo: Third-Party Risk Management (TPRM) Product Family
June 13 | 12:00pm - 1:00pm ET | Register
?? Committee Meeting: Global ESG TPRM
June 20 | 11:00am - 12:00pm ET | 1 CPE | Sign Up
?? FREE Webinar: Elevating Risk Management: Mirato and Shared Assessments
June 26 | 11:00am - 12:00pm ET | 1 CPE | Register
??Committee Meeting: Healthcare
July 23 | 12:00pm - 1:00pm ET | 1 CPE | Sign Up
Connect
More questions about Shared Assessments or our Healthcare Initiative? Please connect with Chris Johnson or Stephanie Moore.
Student at Khulna University
4 个月Here's a fascinating report on worldwide third-party risks that you might find worth exploring: https://securityscorecard.com/reports/third-party-cyber-risk/