BLOG

CISA Cyber Performance Goals: Third-Party & Supply Chain Requirements

The Cybersecurity and Infrastructure Security Agency (CISA) has been hinting for weeks about a pending announcement on cybersecurity for the nation’s critical infrastructure including healthcare. That update has arrived in the form of a major publication titled CPG: Cross-Sector Cybersecurity Performance Goals.[1]The CPGs provide a mechanism for healthcare organizations and other critical sector entities to prioritize their implementation of the most effective and essential security controls required to defend against emerging cyberattacks. This blog provides an overview of the CPGs and delves into the CPGs that are dedicated to supply chain and third-party vendor risk management. We also discuss the history and genesis of the CPGs, definitions and components, and practical applications for the CPGs for healthcare organizations. Read More

Keep Up with CORL: Vendor Breach Digest, 10/11/22

Our Vendor Breach Digest provides a summary roll-up of major breach events for third-party vendors operating within the healthcare supply chain. Breaches covered in this release: Okta & Microsoft, SummaCare, Healthplex, Inc, GitHub, Arcare, American Dental Association, T-Mobile, Mental Health Center of Greater Manchester, Mountain Area Health Education Center, The State Bar of Georgia, McCarter & English, Kaiser Foundation, Health Plan, Touchstone Imaging, DialAmerica Marketing, Block, Parker Hannifin Corporation, MailChimp, HubSpot, Cytometry Specialists, Palo Alto Networks, Globant, and Gainwell Technologies. Read More

Healthcare Vendors Sharing PHI with Facebook: Analysis & Recommendations

A bombshell news report was issued by The Markup on June 16 in their publication, Facebook Is Receiving Sensitive Medical Information from Hospital Websites. Specifically, the report claims that healthcare organizations across the country have installed Meta Facebook’s Meta Pixel tracking tool on patient portals and other patient-facing websites. The Meta Pixel platform reportedly sends Facebook Protected Health Information (PHI) including patient names, IP addresses, names of doctors, appointment information, prescription details, and more for many of the nation’s hospitals. Read More

The History and Future of Third-Party Risk Management in Healthcare

Identifying the cybersecurity gaps in your vendor ecosystem is only one part of solving for risk. Risk management and reduction can only be achieved when third-party risk management programs make concrete investments to support their vendors in making timely and cost-effective improvements in their cybersecurity program. Here at CORL, we are committed to more than risk measurement. We foster excellence and accountability on both sides of the vendor contract by actively championing and managing proactive remediation and risk maintenance. Read More

Teaching a Vendor to Phish: How to Help Your Vendors Remediate Cyber Risks

Identifying the cybersecurity gaps in your vendor ecosystem is only one part of solving for risk. Risk management and reduction can only be achieved when third-party risk management programs make concrete investments to support their vendors in making timely and cost-effective improvements in their cybersecurity program. Here at CORL, we are committed to more than risk measurement. We foster excellence and accountability on both sides of the vendor contract by actively championing and managing proactive remediation and risk maintenance. Read More