3rd Party Risk Management , Fraud Management & Cybercrime , Governance & Risk Management
The Concentrated Cyber Risk Posed by Enormous Vendors
Keith Fricke, Partner and Principal at tw-Security, on Big Vendor ConcernsThe vast healthcare ecosystem disruption caused by the recent attack on Change Healthcare, which affected more than 100 of the company's IT products and services, underscores the concentrated cyber risk that occurs when a major vendor suffers a serious cyber incident, said Keith Fricke, partner and principal consultant at tw-Security.
"One of the possible outcomes of this whole event is that we might see a divesture of an organization the size of UnitedHealth Group, like we saw in 1982 with AT&T and the divesture to all the Baby Bells," he said, referring to the government-mandated breakup of the phone company giant into many smaller firms.
As seen in the fallout of the attack on Change Healthcare, a unit of UnitedHealth Group, the company has a vast imprint on so many vital revenue cycles, claims processing and other critical business processes within all segments of the healthcare sector. "We essentially had too many eggs in one basket," Fricke said. "With the rollup of so many conglomerates, that does cause a single point of failure," he said.
"When we have to scramble to conduct business and there are not many choices left, that makes it difficult for us to have a backup plan or a plan B."
On top of that, the enormous size of these vendors makes them bigger targets for cybercriminals, Fricke said. "The criminals are going after the large organizations," he said.
In this interview with Information Security Media Group conducted at the Healthcare Information and Management Systems Society 2024 conference in Orlando, Florida (see audio link below photo), Fricke also discussed:
- Steps entities can take to reduce security risk involving major vendors;
- Red flags concerning third-party vendors that are hesitant to share details about their security practices or whether they've suffered previous breaches;
- Where AI offers the most promise in healthcare and where it brings the most serious concerns.
Fricke provides virtual CISO and cybersecurity advisory services for covered entities and business associates. He has over 35 years of experience in IT, and for 19 years he focused on healthcare information security tactical and strategic initiatives. Before joining tw-Security nine years ago, Fricke served as CISO for Mercy Health, formerly Catholic Health Partners, covering 24 hospitals across three states.