No Easy Fix For Untangling Web of Critical Dependencies – Duo Security

1 minute, 49 seconds Read

As healthcare providers, hospitals and patients continue to reel from the impact of the Change Healthcare ransomware attack, private and public sector cybersecurity officials are pointing to the incident as a stark reminder of how interconnected systems can have widespread impacts. But mapping out and pinpointing those critical entities – and all the moving parts and pieces that make them up – is a complicated process.

During a Wednesday event hosted by the Foundation for Defense of Democracies, Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said that it was important for the U.S. government to sit down with healthcare sector stakeholders and the Department of Health and Human Services, in order to get a better idea of how to highlight companies “that are much more critical than we actually were expecting.”

“That work is continuing, we will be doubling down on that work with the authorities coming out of the National Security Memorandum,” said Easterly. “But it just illuminates the fact that we have to have an understanding of global supply chains and where impacts can be felt most seriously to the American people.”

Easterly said that the government had created a list of less than 500 organizations that, if disrupted, could trigger a detrimental impact to national security, economic security or public health and safety. However, even within the individual organizations on that list, various complex layers of subsidiaries and subfunctions exist. Change Healthcare parent UnitedHealth Group, for instance, has scooped up a tangle of healthcare companies over decades, ranging from technology healthcare services company Optum to health information technology and data firm Ingenix. With all of these organizations under its belt, UnitedHealth said it works with partners and providers to support 152 million individuals – but as the Change Healthcare incident shows, pinpointing the company’s specific services and their various influences on patients, providers and hospitals isn’t so simple.

“When the Change Healthcare [attack] happened, I went back and looked at that list,” said Easterly. “You saw the parent company, obviously one of the biggest companies, [and that] would be something we would think about as a systemically important entity, but Change was not part of that.”

This post was originally published on the 3rd party site mentioned in the title of this this site

Similar Posts