3rd Party Risk Management , Governance & Risk Management , Healthcare
Change Healthcare Wake-Up Call: Is Sector Too Codependent?
Denise Anderson and Errol Weiss of Health-ISAC Discuss Critical Cyber IssuesSee Also: OnDemand | Secure Your Vendor's Access from Attacks on Third-party Vulnerabilities
The Change Healthcare attack - the most disruptive cyber incident to ever hit the U.S. healthcare ecosystem - spotlights the risks that come from relying on a handful of major suppliers, said top leaders of the Health Information Sharing and Analysis Center.
"The real wake-up call was just the realization of how interconnected, how interdependent the healthcare sector is on a small number of service providers," said Errol Weiss, chief security officer of Health-ISAC.
"Not only do we see a lot of patient inconveniences where people couldn't get prescriptions filled or procedures were being canceled because of the lack of insurance information - hospitals were also dealing with an impact to cash flow because they couldn't file those insurance claims," Weiss said in an video interview with Information Security Media Group (see: Nursing Home Declares Bankruptcy, Blames Recent Cyberattacks).
"Now they're suddenly cash-strapped and having financial issues as well. That level of interconnectedness and dependencies was something that took a lot of people by surprise, and we'll certainly be looking at that going forward."
In previous times of crisis, said Denise Anderson, CEO of Health-ISAC, the healthcare sector realized how reliant it is on too few major suppliers. Those times includes non-cyber related circumstances, such as in the aftermath of Hurricane Maria in 2017 and when the coronavirus pandemic disrupted supply chains, she said.
But the Change Healthcare incident revealed the degree of reliance on major IT vendors - and the domino effect that can happen - at a scope not seen before.
"In many cases, organizations aren't aware of the concentration risk of so many of the organizations relying on one vendor for a particular item or process," she said.
"So, understanding the risks. Whether they are concentration, geographic or other is really important, and it takes a partnership between private sector and public sector to identify what those risks are and then how to address them."
In the video interview with ISMG, Anderson and Weiss also discuss:
- Health-ISAC's activities, including its threat intelligence work and its new internship program for budding cyber professionals;
- How cyber information-sharing practices - and the obstacles to them - differ across the globe;
- Major attack vectors, vulnerabilities and scams that affect the healthcare sector;
- The cybersecurity challenges that smaller and under-resourced healthcare providers face;
- The Department of Health and Human Services' cybersecurity performance goals for the healthcare sector.
Anderson chairs the National Council of ISACs. She also serves as a health sector representative to the National Cybersecurity and Communications Integration Center, which is a Department of Homeland Security-led coordinated watch and warning center. Anderson serves on the board of the Global Resilience Federation and is a member of the Cyber Future Foundation. Prior to Health-ISAC, she was vice president of Financial Services-ISAC.
Weiss has over 25 years of experience in information security. He began his career with the National Security Agency, conducting penetration tests of classified networks. He created and ran Citigroup's Cyber Intelligence Center and was a senior vice president executive with Bank of America's Global Information Security team. He is a member of the CyberEdBoard.