3rd Party Risk Management , Business Continuity Management / Disaster Recovery , Cybercrime
Importance of Resilience in Mitigating Supply Chain Attacks
Nitin Natarajan of CISA on Emerging Lessons From Change Healthcare, Other AttacksThe Change Healthcare attack is already giving valuable lessons to the healthcare sector - mostly about the critical importance of resilience, especially when it comes the industry's supply chain and third parties, said Nitin Natarajan, deputy director of the Cybersecurity and Infrastructure Security Agency.
"We're never going to prevent all incidents from happening, and we're not going to protect every organization until we have a magic bubble," he said in an interview with Information Security Media Group during the Healthcare Information Management and Systems Society 2024 conference in Orlando.
Change Healthcare, a unit of Optum, which is a subsidiary of UnitedHealth Group, is still recovering key IT systems and services taken offline after a Feb. 21 cyberattack on Change Healthcare. The outage has been disrupting claims processing, revenue cycle management, prescription services and an array of other processes at scores of medical clinics, hospitals and pharmacies across the country since the attack.
"The question is how do we bounce back and build resilience, recover from backups much sooner?" he said, adding that healthcare sector firms must to "understand our supply chain vulnerabilities much better - to know we are dependent upon a product, chip or service from within the U.S. or internationally, and being able to mitigate that particular vulnerability of risk."
"We don't spend enough time understanding our supply chains - especially in healthcare when you look at the volumes of products that a healthcare institution is dependent upon - both hardware but also day-to-day medical supplies. You need to understand the vulnerabilities and have the redundancies built in to mitigate the risk if one major entity were to go down."
In this audio interview with Information Security Media Groups at the HIMSS conference (see audio link below photo), Natarajan also discussed:
- The Biden administration's strategy for bolstering cybersecurity of the healthcare sector and resources from CISA to help with that effort;
- The top emerging threats involving AI in the hands of attackers;
- Leading threats and other cyber challenges facing the healthcare sector.
Natarajan was appointed deputy director of CISA in February 2021. Prior to joining CISA, he served in a variety of public and private-sector positions spanning over 30 years. Most recently, he served as a consulting firm executive. Natarajan also held a number of federal government roles, including deputy assistant administrator at the U.S. Environmental Protection Agency, director of critical infrastructure policy at the White House/National Security Council, and director at the U.S. Health and Human Services, overseeing healthcare and public health programs.