BLOG

TPRM is Broken: Healthcare’s Unsustainable Approach to Third-Party Vendor Risk Management

CORL and HITRUST specialize in delivering cybersecurity assurance products and services for the healthcare industry including Third-Party Risk Management (TPRM) programs. Our companies have been listening attentively to our clients and colleagues and one message has come across loud and clear: TPRM is broken and we need to collaborate as an industry to fix it. This blog provides a summary of the feedback and perspectives from cybersecurity and risk leaders charged with managing healthcare TPRM programs. Read More

Cloud Security Alliance Weighs in on Third-Party Risk Management in Healthcare

Cloud Security Alliance (CSA) recently released new guidance on managing third-party cyber security risk in healthcare that offers some practical and useful tips for defenders to consider. The report comes on the heels of a new industry report from IBM that cites healthcare as the highest sector for breach costs. The IBM report also notes that 45% of breaches were cloud-based and almost one fifth of breaches occurred because of a compromise at a third-party business partner. Read More

Keep Up with CORL: Vendor Breach Digest, 5/9/22

Our Vendor Breach Digest provides a summary roll-up of major breach events for third-party vendors operating within the healthcare supply chain. Breaches covered in this release: Okta & Microsoft, SummaCare, Healthplex, Inc, GitHub, Arcare, American Dental Association, T-Mobile, Mental Health Center of Greater Manchester, Mountain Area Health Education Center, The State Bar of Georgia, McCarter & English, Kaiser Foundation, Health Plan, Touchstone Imaging, DialAmerica Marketing, Block, Parker Hannifin Corporation, MailChimp, HubSpot, Cytometry Specialists, Palo Alto Networks, Globant, and Gainwell Technologies. Read More

Mitigating Fourth-Party Cyber Risks in Healthcare

This blog post provides insights into the growing risks associated with fourth-party vendors and applications that many healthcare organizations have not yet addressed. The objective of this publication is to level set definitions for fourth-party risk, outline current risk mitigation models and challenges, and propose innovative approaches for mitigating supply chain risks that extend to fourth parties. Read More

Keep Up with CORL: Vendor Breach Digest, 3/15/22

Our Vendor Breach Digest provides a summary roll-up of major breach events for third-party vendors operating within the healthcare supply chain. Breaches covered in this release: Morley Companies, South Denver Cardiology Associates, Securitas, Priority Health, Medical Healthcare Solutions, PracticeMax, Charlotte Radiology, RR Donnelley, US Radiology Specialists, Pekin Insurance, The International Committee of the Red Cross, DataHEALTH, American Osteopathic Association, Vantage Holding Company, Crossroads Health, UMass Memorial Health, LGAA... Read More

Russia/Ukraine Cyberwar: Healthcare Vendor Risks & Response

Healthcare organizations are scrambling to adjust their cybersecurity preparation and response capabilities in the wake of potential cyberattacks stemming from the ongoing conflict between Russia and Ukraine. This blog post provides threat intelligence on the escalating cyberwar activities stemming from this conflict as well as recommendations for healthcare vendor risk management programs to prepare and respond to these emerging threats. Read More

Obtaining Buy-In for Your Third-Party Risk Management Program

Third-party risk management breaches have been snowballing in recent months with no clear end in sight. However, too many healthcare organizations have maintained a status quo approach to their Third-Party Risk Management (TPRM) and Vendor Risk Management (VRM) programs. This blog provides recommendations for delivering messaging to key stakeholder groups within healthcare entities to make the business case for further investments in third-party risk programs. Read More

Keep Up with CORL: Vendor Breach Digest, 1/17/22

Our Vendor Breach Digest provides a summary roll-up of major breach events for third-party vendors operating within the healthcare supply chain. Breaches covered in this release: Kronos, Microsoft Exchange Outlook Web Access, BioPlus, QRS, BDO, The Medical Review Institute of America, Doxy.me, Jefferson Surgical Clinic, EMI Health, Neuro-Rehab Associates, UScellular, Georgia Bone and Joint Surgeons, Anthem, Walgreens, Daniel J. Edelman Holdings, A New Leaf Inc, Ibex, Ciox Health, Broward Health, UAW Retiree Medical Benefits, T-Mobile, Southern Orthopaedic Association, CompuGroup Medical & Bertelsmann, and Fiondella, Milone & LaSaracina LLP. Read More