When Fourth Party Risk Becomes a First Party Nightmare

The MOVEit vulnerability is a critical security flaw in file transfer software that is widely used across multiple industries. This vulnerability was first disclosed in June 2023 and has since been exploited by threat actors to gain access to and control of systems in a variety of healthcare organizations.

The MOVEit vulnerability could allow an attacker to escalate privileges, execute arbitrary code, and steal sensitive data. This could have a significant impact on healthcare organizations, as it could lead to data breaches, operational disruptions, and further ransomware attacks.

In June 2023, the Health Sector Cybersecurity Coordination Center (HC3) issued an alert warning healthcare organizations about the MOVEit vulnerability. The alert noted that the vulnerability had been exploited by the Clop ransomware group to target healthcare organizations in the United States and Canada.

The HC3 alert also provided guidance on how healthcare organizations could mitigate the risk posed by the MOVEit vulnerability. This guidance included:

• Applying the latest security patches for MOVEit
• Disabling all HTTP and HTTPS traffic to MOVEit servers
• Implementing additional security controls, such as firewalls and intrusion detection systems
• Monitoring systems for signs of compromise
• Healthcare organizations should take steps to implement these mitigation measures as soon as possible to protect themselves from the MOVEit vulnerability.

There is one question that still remains unanswered for healthcare organizations: how could they have mitigated this before the alert?  The real observation here is that healthcare organizations did not know that MOVEit was being used on their behalf by the vendors supporting the digital solutions that contribute to patient care.  How can a healthcare organization have visibility into this type of scenario when they do not know the depths and detail of who and how their organizations are being supported by third parties?

The CISO’s Take

As a healthcare Chief Information Security Officer (CISO), there are many responsibilities to oversee but one of the most critical is to ensure the protection of sensitive patient data and the resiliency and continued operations of the infrastructure supporting healthcare services. MOVEit is a widely used piece of software that third parties use to support the services they are providing.  When a vulnerability is identified in a widely used piece of software that these third parties use, there needs to be a coordinated response and the ability to quickly understand which of their vendors are affected to better assess the risk and potential exposure.  The problem faced is not easily solved and a multifaceted approach is required.  As a starting point and thinking about what should we be doing as an industry to solve this problem, here are a few steps to take to begin to address these more frequent vulnerabilities:

1. Vendor Inventory: If we don’t have a comprehensive, up-to-date inventory of all the vendors we use, as well as the products and services they provide, it can be hard to determine which vendors might be affected by a specific vulnerability.  This includes understanding the depth of any fourth party products and services.  
2. Vendor Communication: Even if we know who our vendors are, it can still be difficult to communicate effectively with them, particularly in an urgent situation like this. Not all vendors might have the necessary protocols in place to respond to such inquiries promptly.
3. Vendor Assessment: Each vendor could be affected differently by the vulnerability, depending on the version of the software they use, their specific implementation, and their own security controls. Understanding the extent to which each vendor is affected is a significant challenge.
4. Risk Assessment: Once we know which vendors are affected, you need to assess the risk they pose to your organization. This includes understanding how their systems interact with your systems and processes, the sensitivity of the data they handle and the potential impact of a breach.  Being able to address the challenges of your diverse portfolio is critical and time is of the essence.  
5. Mitigation Strategy: Based on the risk assessment, you need to develop and implement a mitigation strategy. This could involve working with the vendor to patch the vulnerability, disconnecting their systems until the issue is resolved, or in some cases, finding a new vendor.
6. Ongoing Vendor Management: This is not a one-time problem. New vulnerabilities will continue to be discovered and there needs to be a robust process in place to manage your vendor relationships and respond to these situations in the future.

A solution to these problems would ideally involve a robust vendor management program that includes elements like maintaining a comprehensive vendor inventory, establishing strong communication channels with vendors, regularly assessing vendor security, and having a process in place to quickly assess and mitigate risks when a new vulnerability is discovered. Ultimately, the goal is to ensure the security and privacy of all patient data while maintaining the availability of your healthcare services.  

Starting with visibility and evolving your vendor management program following the steps above is critical for solving these recurring problems.  As this trend will not go away it is critical that every healthcare organization have a way to quickly assess which vendors and products are impacted and remediate or mitigate risks posed by when a new vulnerability is discovered.

Chris Logan

Chief Information Security Officer