Demo Request
X Close Search

How can we assist?

When Fourth Party Risk Becomes a First Party Nightmare

Fourth Party Risk

The MOVEit vulnerability is a critical security flaw in file transfer software that is widely used across multiple industries. This vulnerability was first disclosed in June 2023 and has since been exploited by threat actors to gain access to and control of systems in a variety of healthcare organizations.

The MOVEit vulnerability could allow an attacker to escalate privileges, execute arbitrary code, and steal sensitive data. This could have a significant impact on healthcare organizations, as it could lead to data breaches, operational disruptions, and further ransomware attacks.

In June 2023, the Health Sector Cybersecurity Coordination Center (HC3) issued an alert warning healthcare organizations about the MOVEit vulnerability. The alert noted that the vulnerability had been exploited by the Clop ransomware group to target healthcare organizations in the United States and Canada.

The HC3 alert also provided guidance on how healthcare organizations could mitigate the risk posed by the MOVEit vulnerability. This guidance included:

  • Applying the latest security patches for MOVEit
  • Disabling all HTTP and HTTPS traffic to MOVEit servers
  • Implementing additional security controls, such as firewalls and intrusion detection systems
  • Monitoring systems for signs of compromise
  • Healthcare organizations should take steps to implement these mitigation measures as soon as possible to protect themselves from the MOVEit vulnerability.

There is one question that still remains unanswered for healthcare organizations: how could they have mitigated this before the alert?  The real observation here is that healthcare organizations did not know that MOVEit was being used on their behalf by the vendors supporting the digital solutions that contribute to patient care.  How can a healthcare organization have visibility into this type of scenario when they do not know the depths and detail of who and how their organizations are being supported by third parties?

The CISO’s Take

As a healthcare Chief Information Security Officer (CISO), there are many responsibilities to oversee but one of the most critical is to ensure the protection of sensitive patient data and the resiliency and continued operations of the infrastructure supporting healthcare services. MOVEit is a widely used piece of software that third parties use to support the services they are providing.  When a vulnerability is identified in a widely used piece of software that these third parties use, there needs to be a coordinated response and the ability to quickly understand which of their vendors are affected to better assess the risk and potential exposure.  The problem faced is not easily solved and a multifaceted approach is required.  As a starting point and thinking about what should we be doing as an industry to solve this problem, here are a few steps to take to begin to address these more frequent vulnerabilities:

  1. Vendor Inventory: If we don’t have a comprehensive, up-to-date inventory of all the vendors we use, as well as the products and services they provide, it can be hard to determine which vendors might be affected by a specific vulnerability.  This includes understanding the depth of any fourth party products and services.  
  2. Vendor Communication: Even if we know who our vendors are, it can still be difficult to communicate effectively with them, particularly in an urgent situation like this. Not all vendors might have the necessary protocols in place to respond to such inquiries promptly.
  3. Vendor Assessment: Each vendor could be affected differently by the vulnerability, depending on the version of the software they use, their specific implementation, and their own security controls. Understanding the extent to which each vendor is affected is a significant challenge.
  4. Risk Assessment: Once we know which vendors are affected, you need to assess the risk they pose to your organization. This includes understanding how their systems interact with your systems and processes, the sensitivity of the data they handle and the potential impact of a breach.  Being able to address the challenges of your diverse portfolio is critical and time is of the essence.  
  5. Mitigation Strategy: Based on the risk assessment, you need to develop and implement a mitigation strategy. This could involve working with the vendor to patch the vulnerability, disconnecting their systems until the issue is resolved, or in some cases, finding a new vendor.
  6. Ongoing Vendor Management: This is not a one-time problem. New vulnerabilities will continue to be discovered and there needs to be a robust process in place to manage your vendor relationships and respond to these situations in the future.

A solution to these problems would ideally involve a robust vendor management program that includes elements like maintaining a comprehensive vendor inventory, establishing strong communication channels with vendors, regularly assessing vendor security, and having a process in place to quickly assess and mitigate risks when a new vulnerability is discovered. Ultimately, the goal is to ensure the security and privacy of all patient data while maintaining the availability of your healthcare services.  

Starting with visibility and evolving your vendor management program following the steps above is critical for solving these recurring problems.  As this trend will not go away it is critical that every healthcare organization have a way to quickly assess which vendors and products are impacted and remediate or mitigate risks posed by when a new vulnerability is discovered.

Chris Logan

Chief Information Security Officer

Slide 1

This is some text inside of a div block.
Text Link
Censinet Risk Assessment Request Graphic

Censinet RiskOps™ Demo Request

Do you want to revolutionize the way your healthcare organization manages third-party and enterprise risk while also saving time, money, and increasing data security? It’s time for RiskOps.

Schedule Demo

Sign-up for the Censinet Newsletter!

Hear from the Censinet team on industry news, events, content, and 
engage with our thought leaders every month.

Terms of Use | Privacy Policy | Security Statement | Crafted on the Narrow Land