LabCorp Data Breach: Time for a New Third-Party Risk Diagnostic

Hot on the heels of the Quest Diagnostics announcement that 12 million patients were affected by a data breach, LabCorp followed suit by announcing their own breach affecting approximately 7.7 million consumers. As with the Quest breach, third-party collections firm American Medical Collection Agency (AMCA) appears to be the weak link in the chain.

According to the LabCorp SEC filing, exposed data may have included names, addresses, dates of birth and balance information from credit cards or bank accounts provided by the consumer to AMCA. Although the investigation is ongoing, AMCA took down its web payments page after a security firm alerted them to a possible compromise.

Two similar breaches announced in two consecutive days … from the same source!

What can organizations like LabCorp and Quest Diagnostics do to improve their cyber resiliency and improve visibility over potential vendor risks like these? Here are three immediate actions you can take:

1. Increase visibility into your vendor’s cyber activity and business risks

Continuous monitoring of vendor networks provide immediate insights into vendor risks that can inform deeper assessments. One thing that can be particularly helpful here is to look not only at the cyber/data risks of vendors, but also at their business and operational risks. For example, factors such as revenue announcements, layoffs, and prior data breach notifications can complement cyber security scans with important, qualitative metrics while providing an indicator of possible future risks.

2. Conduct deep, standardized assessments based on internal controls

Be sure to investigate what goes into the “scores” and “security ratings” used in your monitoring. With no vendor assurance, scoring and ratings deliver a limited view of vendor risk; there is no real assessment happening. By regularly conducting controls-based, standardized assessments, you gain the deepest view of each vendor’s data security practices. This approach requires vendors to prove they have the practices and policies in place to mitigate data breach risks. Too many data breaches involve lapses in controls, so you have to dive deeper into that security score and see if it tells you how a vendor would handle your data.

3. Unify continuous assessments and monitoring for a single, “inside-out/outside-in” security score

The cost – and time – required to complete thorough vendor assessments is increasing, while resources to perform assessments remain limited (to say the least). Combining point-in-time vendor assessments and continuous monitoring into a single, integrated platform delivers maximum visibility, simplifies management, and lowers total cost of ownership. The benefits here are clear:

• Fewer third-party risk solution vendors to manage
• Less time to complete, analyze and remediate vendor control problems
• Reduced support costs

Delivered in the simplicity of a secure cloud, the Prevalent platform unifies automated vendor assessments, continuous threat monitoring, and evidence sharing – all backed by expert advisory and consulting services to optimize your risk management program. If you are looking to gauge your organization’s third-party risk management maturity, or want help designing a program to improve vendor security, please contact us today.