Vendor Security Risk Management: A Growing ConcernEddie Chang of Travelers Insurance on Lessons from Vendor Breaches
As spotlighted by the recently revealed breach at American Medical Collection Agency impacting at least four healthcare sector clients and more than 20 million patients so far, vendor risk management is an increasingly critical component of information security, says Eddie Chang of cyber insurer, Travelers Insurance.
"As healthcare companies and providers allow other companies in the space - business associates - to have access to their data, their network - once you do that, then whatever vulnerabilities your vendors have become your vulnerabilities," says Chang in an interview with Information Security Media Group.
On June 3, three medical testing lab firms - Quest Diagnostics, LabCorp and BioReference Laboratories - each submitted 8-K filings with the Securities and Exchange Commission warning investors that each company was a victim of an "unauthorized access" breach that occurred on AMCA's web payment page between August 1, 2018, and March 30, 2019.
AMCA handled collections for LabCorp and BioReference Laboratories, a subsidiary of OPKO Healthunit. Quest Diagnostics says that in its case, a contractor, Optum360 - a unit of health insurer UnitedHealth Group - was a client of AMCA, which handled its collections.
Quest Diagnostics says 11.9 million patients who it serves were potentially affected; LabCorp says 7.7 million patients may have been impacted; and BioReference Labs says approximately 422,600 of its patients' data was potentially compromised by the incident.
AMCA has not yet disclosed how many companies and individuals might have been impacted by the breach.
While not speculating on the specifics of the AMCA case - for which details have not yet emerged - Chang notes that any number of vendor security weaknesses can - and do - put clients' data, as well as consumers, in jeopardy.
"If your vendor is using poor password techniques and hackers are able to get into their networks, and from there, get onto your network, basically those poor password control techniques of your vendor has just exposed your own network to an attack," Chang says.
"The real takeaway is that it is really important for companies to have pretty strict procedures and policies about managing their vendors," he says.
In the interview, Chang also discusses:
- Steps organizations should consider to bolster vendor security risk management practices and policies;
- Security and privacy concerns involving third-party health applications;
- Other top cybersecurity challenges facing the healthcare sector.
Chang is second vice president of cyber risk management at New York-based Travelers Insurance, which has approximately 30,000 employees and generated revenues of approximately $30 billion in 2018. In his role, Chang, who is based in Hartford, Conn., is involved in underwriting, risk control, and catastrophe analysis for the company's cyber insurance policies. Prior to joining Travelers, Chang was a federal prosecutor in which he focused on prosecuting Romanian phishers, Nigerian fraudsters, and other computer hackers and cyber criminals. Previously, Chang was a software development engineer in Microsoft's advanced technology division.