3rd Party Risk Management , Governance & Risk Management , Healthcare

Change Healthcare Wake-Up Call: Is Sector Too Codependent?

Denise Anderson and Errol Weiss of Health-ISAC Discuss Critical Cyber Issues
Denise Anderson, CEO, Health-ISAC, and Errol Weiss, chief security officer, Health-ISAC

See Also: OnDemand | Secure Your Vendor's Access from Attacks on Third-party Vulnerabilities

The Change Healthcare attack - the most disruptive cyber incident to ever hit the U.S. healthcare ecosystem - spotlights the risks that come from relying on a handful of major suppliers, said top leaders of the Health Information Sharing and Analysis Center.

"The real wake-up call was just the realization of how interconnected, how interdependent the healthcare sector is on a small number of service providers," said Errol Weiss, chief security officer of Health-ISAC.

"Not only do we see a lot of patient inconveniences where people couldn't get prescriptions filled or procedures were being canceled because of the lack of insurance information - hospitals were also dealing with an impact to cash flow because they couldn't file those insurance claims," Weiss said in an video interview with Information Security Media Group (see: Nursing Home Declares Bankruptcy, Blames Recent Cyberattacks).

"Now they're suddenly cash-strapped and having financial issues as well. That level of interconnectedness and dependencies was something that took a lot of people by surprise, and we'll certainly be looking at that going forward."

In previous times of crisis, said Denise Anderson, CEO of Health-ISAC, the healthcare sector realized how reliant it is on too few major suppliers. Those times includes non-cyber related circumstances, such as in the aftermath of Hurricane Maria in 2017 and when the coronavirus pandemic disrupted supply chains, she said.

But the Change Healthcare incident revealed the degree of reliance on major IT vendors - and the domino effect that can happen - at a scope not seen before.

"In many cases, organizations aren't aware of the concentration risk of so many of the organizations relying on one vendor for a particular item or process," she said.

"So, understanding the risks. Whether they are concentration, geographic or other is really important, and it takes a partnership between private sector and public sector to identify what those risks are and then how to address them."

In the video interview with ISMG, Anderson and Weiss also discuss:

  • Health-ISAC's activities, including its threat intelligence work and its new internship program for budding cyber professionals;
  • How cyber information-sharing practices - and the obstacles to them - differ across the globe;
  • Major attack vectors, vulnerabilities and scams that affect the healthcare sector;
  • The cybersecurity challenges that smaller and under-resourced healthcare providers face;
  • The Department of Health and Human Services' cybersecurity performance goals for the healthcare sector.

Anderson chairs the National Council of ISACs. She also serves as a health sector representative to the National Cybersecurity and Communications Integration Center, which is a Department of Homeland Security-led coordinated watch and warning center. Anderson serves on the board of the Global Resilience Federation and is a member of the Cyber Future Foundation. Prior to Health-ISAC, she was vice president of Financial Services-ISAC.

Weiss has over 25 years of experience in information security. He began his career with the National Security Agency, conducting penetration tests of classified networks. He created and ran Citigroup's Cyber Intelligence Center and was a senior vice president executive with Bank of America's Global Information Security team. He is a member of the CyberEdBoard.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.