By Jeff Wardon, Jr., Assistant Editor

The Centers for Medicare & Medicaid Services (CMS) and Wisconsin Physicians Service Insurance Corporation (WPS) are informing individuals about a potential data breach involving protected health information (PHI) and personally identifiable information (PII), according to a press release. This breach occurred due to a security vulnerability in MOVEit, a third-party software used by WPS, a CMS contractor that handles Medicare Part A/B claims. 

Third-party vendors are a potential vector for cybercriminals to use in their attacks. Many healthcare organizations utilize some form of third-party services, so they do run the risk of being vulnerable to cyberattacks from them. They also run the risk of having critical services being disrupted as well. 

Related: North Korean Operative Accused of Hacking into U.S. Healthcare Providers

“All these modern-day hospitals, for example, are super dependent on IT to be able to run efficiently and effectively,” Errol Weiss, chief security officer at Health-ISAC, told Healthcare Facilities Today. “Of course, that IT now transcends these organizational boundaries. So, all these connection points have become incredibly complicated.” 

With healthcare organizations being dependent on third-party services and vendors, one breach in that network can cause a ripple effect all throughout it. Essentially meaning all involved parties become embroiled in a much larger problem. 

Given this, healthcare organizations must look at these vulnerabilities in their business models from a risk management perspective, according to Weiss. For example, if a healthcare organization does business with a vendor that’s handling a critical process and sharing sensitive information, Weiss says to make sure to investigate their security policies. 

“This is to make sure that they're taking security seriously and doing the right things internally when it comes to cybersecurity,” says Weiss. 

Jeff Wardon, Jr., is the assistant editor for the facilities market.