What happened:
On the local Boston evening news this story might have been headlined as, “Hacker with a Heart of Gold” or “Un-Patch Adams.” A hacker successfully exploited an infrastructure management company whose customers included Boston-area hospitals, including Boston Children’s Hospital. But rather than exploit the hospitals … he alerted them.
The hacker reportedly realized that ENE Systems of Canton Massachusetts provided an attack path to their hospital customers – and stopped in their tracks. Growing concerned about ENE’s lack of response to the risk they posed to their hospital customers, the hacker reached out to a cybersecurity blogger who worked with a cybersecurity consultant to alert the hospitals and secure themselves against their vendor.
Why is this important?
Keep in mind that your service providers may not be looking out for you.
What does this mean to me?
Keep in mind that your service providers may not be looking out for you.
Make sure in your vendor risk management program you are asking your vendors how their controls address risks to YOU, not just to THEM.
Ask them how they explicitly consider your harm as they assess and mitigate risk.
Ask them where in their incident response policies do they evaluate the risk to you, and whether they notify you about risks you may encounter as a result of their incident.
Related threats
Third-party / vendor negligence
Related vulnerabilities
Lack of insight into third-party security measures
Helpful controls
Endpoint Detection and Response (EDR)
Extended Detection and Response (XDR)
Mobile Device Management (MDM)
Commonality of attack
DoCRA risk analysis at third parties and vendors