Almost nine months after the incident occurred, the breach of Accellion is still claiming victims. Last Friday 1,500 patients of Beaumont Health in Michigan were notified that some of their personal data was accessed in the attack. Beaumont Health got the news from Goodwin Proctor, a law firm that the hospital system shared data with. After follow-up investigation was conducted by Beaumont, they found that protected health information including patient name, procedure name, physician name, internal medical record number and dates of service were exposed. Fortunately, no financial data was affected.
Beaumont Health joins a list of 11 other known health organizations that were affected by the attack. The Accellion incident is a continuous reminder to not use old software and to implement patches made for vulnerabilities when they’re released. Companies may want to consider a third-party risk management (TPRM) program. A blog on Security Boulevard written by Tony Howlett highlights how companies can either create a TPRM program or improve one that’s already in place. Some of those recommendations include:
• Do better vendor risk assessments before onboarding new vendors and on a more regular basis.
Implement more controls for risky and critical vendors.
Multi-factor authentication (MFA) should be a standard control.
Add credential vaulting and privilege access management for any use of privileged credentials by third-party vendors.
Closer reviews of key supply chain vendors should also be instituted.