Critical Infrastructure Security, Government Regulations, Supply chain

HHS intensifies scrutiny of third-party vendor cybersecurity

The sun flares next to the sign marking the headquarters building of the US Department of Health and Human Services

CyberScoop reports that the massive Change Healthcare breach in 2024, which stemmed from the lack of multi-factor authentication on a remote access portal, has prompted the Department of Health and Human Services to place heightened scrutiny on the security practices of third-party service providers.

Such an attack, which exposed data from 190 million people and emphasized previously unrecognized risks tied to external vendors, "threatened the liquidity of our entire health care system," said Charlee Hess, director of the healthcare and public health sector cybersecurity at the HHS' Administration for Strategy Preparedness and Response division, at this year's CyberTalks.

"We recovered from that, but we realized there are third-party risks lurking in our health care system, and we don't even know they're there. Where are those entities or systems that will have an outsized impact on our sector?" Hess added.

Multiple proposals imposing mandatory cybersecurity rules on hospitals have since been made in the wake of the Change Healthcare breach. However, such regulations have been opposed by the healthcare organizations, which argued its additional burdens on the sector, even if the Change Healthcare intrusion involved external compromise.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds