When Fourth Party Risk Becomes a First Party Nightmare

Post Summary
The MOVEit vulnerability is a critical security flaw in file transfer software that allows attackers to escalate privileges, execute arbitrary code, and steal sensitive data.
It has led to data breaches, operational disruptions, and ransomware attacks, with the Clop ransomware group targeting healthcare organizations in the U.S. and Canada.
HC3 advises applying security patches, disabling HTTP/HTTPS traffic to MOVEit servers, implementing firewalls and intrusion detection systems, and monitoring for signs of compromise.
Healthcare organizations often lack visibility into third- and fourth-party vendors using vulnerable software, making it difficult to assess risks and respond quickly.
Steps include maintaining a comprehensive vendor inventory, establishing strong communication channels, conducting regular vendor assessments, and implementing ongoing risk management processes.
Visit Censinet’s website for insights into vendor management and cybersecurity solutions.
The MOVEit vulnerability is a critical security flaw in file transfer software that is widely used across multiple industries. This vulnerability was first disclosed in June 2023 and has since been exploited by threat actors to gain access to and control of systems in a variety of healthcare organizations.
The MOVEit vulnerability could allow an attacker to escalate privileges, execute arbitrary code, and steal sensitive data. This could have a significant impact on healthcare organizations, as it could lead to data breaches, operational disruptions, and further ransomware attacks.
In June 2023, the Health Sector Cybersecurity Coordination Center (HC3) issued an alert warning healthcare organizations about the MOVEit vulnerability. The alert noted that the vulnerability had been exploited by the Clop ransomware group to target healthcare organizations in the United States and Canada.
The HC3 alert also provided guidance on how healthcare organizations could mitigate the risk posed by the MOVEit vulnerability. This guidance included:
- Applying the latest security patches for MOVEit
- Disabling all HTTP and HTTPS traffic to MOVEit servers
- Implementing additional security controls, such as firewalls and intrusion detection systems
- Monitoring systems for signs of compromise
- Healthcare organizations should take steps to implement these mitigation measures as soon as possible to protect themselves from the MOVEit vulnerability.
There is one question that still remains unanswered for healthcare organizations: how could they have mitigated this before the alert? The real observation here is that healthcare organizations did not know that MOVEit was being used on their behalf by the vendors supporting the digital solutions that contribute to patient care. How can a healthcare organization have visibility into this type of scenario when they do not know the depths and detail of who and how their organizations are being supported by third parties?
The CISO’s Take
As a healthcare Chief Information Security Officer (CISO), there are many responsibilities to oversee but one of the most critical is to ensure the protection of sensitive patient data and the resiliency and continued operations of the infrastructure supporting healthcare services. MOVEit is a widely used piece of software that third parties use to support the services they are providing. When a vulnerability is identified in a widely used piece of software that these third parties use, there needs to be a coordinated response and the ability to quickly understand which of their vendors are affected to better assess the risk and potential exposure. The problem faced is not easily solved and a multifaceted approach is required. As a starting point and thinking about what should we be doing as an industry to solve this problem, here are a few steps to take to begin to address these more frequent vulnerabilities:
- Vendor Inventory: If we don’t have a comprehensive, up-to-date inventory of all the vendors we use, as well as the products and services they provide, it can be hard to determine which vendors might be affected by a specific vulnerability. This includes understanding the depth of any fourth party products and services.
- Vendor Communication: Even if we know who our vendors are, it can still be difficult to communicate effectively with them, particularly in an urgent situation like this. Not all vendors might have the necessary protocols in place to respond to such inquiries promptly.
- Vendor Assessment: Each vendor could be affected differently by the vulnerability, depending on the version of the software they use, their specific implementation, and their own security controls. Understanding the extent to which each vendor is affected is a significant challenge.
- Risk Assessment: Once we know which vendors are affected, you need to assess the risk they pose to your organization. This includes understanding how their systems interact with your systems and processes, the sensitivity of the data they handle and the potential impact of a breach. Being able to address the challenges of your diverse portfolio is critical and time is of the essence.
- Mitigation Strategy: Based on the risk assessment, you need to develop and implement a mitigation strategy. This could involve working with the vendor to patch the vulnerability, disconnecting their systems until the issue is resolved, or in some cases, finding a new vendor.
- Ongoing Vendor Management: This is not a one-time problem. New vulnerabilities will continue to be discovered and there needs to be a robust process in place to manage your vendor relationships and respond to these situations in the future.
A solution to these problems would ideally involve a robust vendor management program that includes elements like maintaining a comprehensive vendor inventory, establishing strong communication channels with vendors, regularly assessing vendor security, and having a process in place to quickly assess and mitigate risks when a new vulnerability is discovered. Ultimately, the goal is to ensure the security and privacy of all patient data while maintaining the availability of your healthcare services.
Starting with visibility and evolving your vendor management program following the steps above is critical for solving these recurring problems. As this trend will not go away it is critical that every healthcare organization have a way to quickly assess which vendors and products are impacted and remediate or mitigate risks posed by when a new vulnerability is discovered.
Chris Logan
Chief Information Security Officer
Key Points:
What is the MOVEit vulnerability, and why is it significant?
The MOVEit vulnerability is a critical security flaw in file transfer software that allows attackers to:
- Escalate privileges.
- Execute arbitrary code.
- Steal sensitive data.
This vulnerability has been widely exploited, particularly in the healthcare sector, leading to data breaches and operational disruptions.
How has the MOVEit vulnerability impacted healthcare organizations?
The vulnerability has had severe consequences, including:
- Data breaches: Sensitive patient data has been exposed.
- Operational disruptions: Healthcare services have been interrupted.
- Ransomware attacks: The Clop ransomware group has specifically targeted healthcare organizations in the U.S. and Canada.
What mitigation steps has HC3 recommended?
The Health Sector Cybersecurity Coordination Center (HC3) has issued the following recommendations:
- Apply the latest security patches for MOVEit.
- Disable all HTTP and HTTPS traffic to MOVEit servers.
- Implement additional security controls, such as firewalls and intrusion detection systems.
- Monitor systems for signs of compromise.
Why is vendor management critical in addressing vulnerabilities like MOVEit?
Healthcare organizations often lack visibility into the software and services used by their third- and fourth-party vendors. This makes it challenging to:
- Identify which vendors are affected by vulnerabilities.
- Assess the risks posed by these vendors.
- Respond quickly to mitigate potential threats.
What steps can healthcare organizations take to improve vendor management?
To address vulnerabilities like MOVEit, organizations should:
- Maintain a vendor inventory: Track all vendors and their associated products and services.
- Enhance communication: Establish strong protocols for urgent vendor inquiries.
- Conduct vendor assessments: Regularly evaluate vendor security practices.
- Perform risk assessments: Understand the potential impact of vendor vulnerabilities.
- Develop mitigation strategies: Work with vendors to patch vulnerabilities or find alternative solutions.
- Implement ongoing management: Continuously monitor and manage vendor relationships.
How can healthcare organizations prepare for future vulnerabilities?
A robust vendor management program is essential. This includes:
- Comprehensive visibility into third- and fourth-party vendors.
- Proactive risk assessments and mitigation strategies.
- Strong communication channels to ensure rapid response to emerging threats.
Where can I learn more about managing vendor risks in healthcare?
Visit Censinet’s website for detailed insights into vendor management and cybersecurity solutions.