On February 21, 2024, Change Healthcare, the largest healthcare payment, and revenue cycle management provider in the country, shut down more than 100 services in response to a ransomware attack from BlackCat/ALPHV. Since then, healthcare providers from the smallest physician-owned practices to the largest hospital systems have not been able to collect revenue or in some cases deliver patient care. This ransomware attack is nothing short of catastrophic for healthcare providers, with 1 in 3 transactions involving patients flowing through Change systems.
The latest developments have UnitedHealthcare Group, Change’s parent company, set to turn all claims functionality back on by April 29, 2024, returning a sense of normalcy to operations. Until then, Change Healthcare customers that use the affected services must find some alternate route to process health insurance claims and receive prior authorizations. They also must contend with understanding the impact of what data was stolen as part of the attack.
This ransomware attack is a catastrophe not only for Change Healthcare but also for its entire customer base. It’s also an object lesson in why third-party risk managers need to include catastrophe planning in their incident response strategies.
Change Healthcare is only the most recent example of a cyberattack having impacts far beyond one company. The Okta breach in late 2023 resulted in data theft from Okta’s customer support system. There has yet to be a full accounting of the impact on Okta customers from that incident. In another example, Perry Johnson & Associates, a healthcare transcription vendor, experienced a data breach that affected nearly 13 million patient records and resulted in multiple class-action lawsuits.
These and other third-party cyberattacks make incident response planning a necessity for a strong third-party risk management program. Knowing what to do when a cyberattack occurs at one of your vendors, no matter how critical, can go a long way toward ensuring business continuity.
Part of your third-party incident response planning should be developing playbooks for catastrophic events. Catastrophes like the Change Healthcare attack, where some healthcare providers have lost more than $1 million in revenue a day, are thankfully rare. That doesn’t mean that you can ignore the possibility of a massive cyberattack bringing down a critical vendor.
As part of your catastrophe planning, also referred to as disaster recovery, it’s important to know the answer to a few questions:
Catastrophe planning is essential for more than cyberattacks. A natural disaster can impact a business relationship as easily as a massive ransomware event. Integrating planning for a catastrophe into your third-party incident response playbook means you’re likely to be more prepared when a major event occurs.
9 Steps to a Third-Party Incident Response Plan
When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.
Having a plan in place if a catastrophe affects one of your critical vendors is a vital part of third-party incident response. As with developing a third-party incident response playbook, creating and implementing an effective catastrophe plan has a few key steps:
1. Form a cross-functional team. Effective catastrophe planning requires a cross-functional team within the organization. This could be the same team responsible for incident response or include team members at more senior levels because responding to a catastrophe may require executive decisions. Consider including IT security, risk management, legal, and procurement or supply chain management teams.
2. Define roles and responsibilities. Catastrophic events require clear lines of responsibility and communication. You should already have a business continuity and disaster recovery plan in place in case of a severe cyberattack or event related to your own company. The roles and responsibilities of the cross-functional team in that plan could relate to a catastrophic event at one of your vendors or suppliers too.
3. Create a list of alternative solutions. A catastrophic event at one of your vendors might require you to pivot to an alternate solution. For example, some healthcare providers took loans out to pay their staff when Change Healthcare went down. Having a list of other options in place if one of your critical vendors or suppliers is no longer operational can ensure your business continuity. It’s also necessary for the most effective response.
4. Run tabletop exercises for catastrophe response. One of the most important things to do with catastrophe planning is to regularly run exercises for the response team. This goes beyond an incident response playbook where everyone knows their roles. Catastrophes are so infrequent that not practicing the steps for how to respond could lead to losing precious response time. This is what the Federal Emergency Management Agency (FEMA) does for its crisis responders and what the New York Police Department’s Crisis Intervention Team does to prepare for incidents in New York City. While a catastrophic event at a vendor may not be life or limb, it’s still necessary to run practical exercises so the response team knows what to do.
5. Continuously monitor for possible catastrophic events. Organizations cannot rely on vendors or suppliers to understand what is or is not catastrophic or promptly report it. It is therefore essential to continually monitor critical third parties for new and emerging threats. While this may seem obvious, it can be a monumental task for organizations with large vendor ecosystems. Instead of trying to manually stay on top of security news and community postings, look for threat intelligence providers that can automate and scale the monitoring process for you.
An effective third-party business continuity plan requires collaboration between internal and external stakeholders. It’s only through working in concert with their vendors to develop cohesive strategies that companies will ensure they can remain in operation during a catastrophic event.
Business continuity procedures incorporate the following activities:
Organizations need to develop processes related to business continuity, as well as a cohesive plan to follow during a catastrophic vendor event.
Executive Brief: Managing IT and Non-IT Risks
Discover how to gain a more holistic view of vendor, supplier and partner risks.
The Prevalent Third-Party Risk Management Platform serves a key role in that business continuity plan. With our capabilities around continuous risk monitoring as well as profiling and tiering, Prevalent ensures that security and procurement teams can visualize risks, communicate with impacted vendors, and assess the risks of working with each third party.
Prevalent’s vendor threat monitoring solution ensures that companies of all sizes can accurately track possible risks to their critical vendors. This enables them to determine what sort of risk they may be facing as well as understand early signals of a possible catastrophic event.
Prevalent has also developed a business continuity plan template to help define the policies and practices that will apply during a catastrophic vendor event. Having this plan in place ahead of time is critical in an environment where it’s impossible to predict the next catastrophe that could hit your vendor ecosystem.
For more on how Prevalent can help your organization develop a comprehensive third-party business continuity plan, request a demo today.
Effectively manage third-party cybersecurity incidents with a well-defined incident response plan.
09/24/2024
Why third-party breaches are on the rise, who is being affected, and what you can do...
09/20/2024
Use these 6 tips to improve your third-party breach response procedures.
09/17/2024