In April 2023, nearly one million consumers were affected by a data breach in Massachusetts. The breach was the result of improper security procedures related to an ambulance service provider that was no longer an operation. Looking back on the incident, it is a reminder that third-party risk management (TPRM) is no longer optional.
Whether in healthcare or any other industry, an organization is only as secure as its supply chain. Third parties on that supply chain always represent some level of risk simply because organizations have very little control over the security positions taken by their vendors and third-party partners. The best organizations can do is deploy TPRM.
The Massachusetts Case
Getting back to the Massachusetts case, it was traced back to Fallon Ambulance and its parent company, Transformative Healthcare. The latter had purchased the ambulance company in 2018 only to turn around and cease all operations in late 2022. But in spring the following year, hackers managed to gain access to archived data in Fallon’s storage system.
Hackers were apparently actively inside the data storage system from mid-February through mid-April. In total, they gained access to the personal information of more than 910,000 people. They also gained information related to employment and employment applications.
Compromised information included:
- Names and addresses
- Social Security numbers
- Medical information
- COVID-19 testing and vaccination data
In response to the data breach, Transformative Healthcare has had to offer victims several years of free identity protection services. The company is paying millions to make up for a data breach that could have been avoided.
The Basics of TPRM
Could TPRM have prevented the data breach? Probably. But even if not, it could have stopped the attack in its earliest stages, thereby mitigating the threat and minimizing the damage.
TPRM is a structured process implemented to identify, assess, and control risks associated with an organization’s third-party partners. Third parties can include vendors, contractors, service providers, and material suppliers. The more third parties an organization relies on, the greater the risk.
Third-party risk is associated with the risk postures of each supplier in the chain. Organizations employing TPRM seek to understand the risk each individual third-party represents. TPRM contributes to that understanding through its key components:
- Identification and Discovery – Third parties are analyzed and inventoried in order to gain a full understanding of all external relationships.
- Risk Assessment – Third parties are evaluated to determine their level of risk. Risk assessment looks at cybersecurity measures, financial stability, compliance, and additional factors.
- Risk Mitigation – Organizations implement risk mitigation controls based on the analysis of each individual third-party. Controls can include anything from security audits to contractual agreements.
- Continuous Monitoring – Organizations continuously monitor for any threats associated with their third-party partners. Any sign of an imminent threat activates an appropriate response.
The idea of continuous monitoring is to stay ahead of the game. Organizations like DarkOwl provide the necessary technology and services. DarkOwl’s darknet intelligence capabilities are ideal for managing third-party risk across supply chains of all sizes.
Modern Security Demands It
TPRM was once a luxury reserved only for the largest enterprises and corporations with unlimited security budgets. That’s no longer the case. Managing third-party risk is an absolute must at a time when ransomware and other profitable cyber-crimes seem to be proliferating.
Organizations may not have direct control over the security postures of their third-party partners. But they do have control over how third-party risk affects them. Now, more than ever, third-party risk management is a crucial tool in the fight against ongoing cybercrime. To not practice it is simply foolish.