HHS Steps Up Cybersecurity Oversight of Third-Party Vendors and Contractors

Post Views: 131

Department of Health and Human Services Intensifies Scrutiny of Third-Party Vendor Cybersecurity

The Department of Health and Human Services (HHS) has intensified its scrutiny of third-party vendor cybersecurity practices in the wake of a massive data breach at Change Healthcare in 2024. The incident, which exposed sensitive information of 190 million individuals, highlighted previously underestimated risks associated with external vendors and prompted concerns about the potential impact on the entire healthcare system.

Assessing the Impact of the Breach

According to Charlee Hess, director of the healthcare and public health sector cybersecurity at the HHS’ Administration for Strategy Preparedness and Response division, the breach “threatened the liquidity of our entire healthcare system.” Hess emphasized that the incident underscored the need for greater awareness of third-party risks lurking in the healthcare system, which can have an outsized impact on the sector.

The Change Healthcare breach was attributed to the lack of multi-factor authentication on a remote access portal, which allowed unauthorized access to sensitive data. In response to the incident, multiple proposals have been put forth to impose mandatory cybersecurity rules on hospitals. However, these regulations have been met with opposition from healthcare organizations, which argue that additional burdens on the sector are unwarranted.

Strengthening Cybersecurity Posture

Despite the opposition, the HHS remains committed to strengthening the cybersecurity posture of third-party vendors. The agency recognizes that the healthcare sector’s reliance on external vendors and service providers creates a complex web of potential vulnerabilities, which can be exploited by malicious actors. As a result, the HHS is working to identify and mitigate these risks, with a focus on ensuring the security and integrity of sensitive healthcare data.

The HHS’ efforts to enhance third-party vendor cybersecurity are part of a broader initiative to strengthen the overall security posture of the healthcare sector. This includes implementing robust security controls, conducting regular risk assessments, and promoting a culture of cybersecurity awareness among healthcare organizations and their vendors.

Recommendations for Healthcare Organizations

In the wake of the Change Healthcare breach, the HHS is urging healthcare organizations to reevaluate their relationships with third-party vendors and to prioritize cybersecurity in their contracting and procurement processes. By working together, the HHS and the healthcare sector can reduce the risk of similar breaches in the future and protect sensitive healthcare data.