Vendor Management Needed in Light of NRC Health Ransomware Attack

Last week, NRC Health became the latest vendor to report it fell victim to a ransomware attack, which locked the company out of its computer systems as it worked to recover. Given its massive list of healthcare clients, the cyberattack could become a massive data breach. NRC Health sells software to about 9,000 healthcare organizations, or about 75 percent of the 200 largest hospital chains in the US. Its clients include Cedars Sinai, Adventist Health, Providence Health, and a host of others, according to its website. In total, the vendor collects data from over 25 million US and Canadian consumers each year. While the vendor continues to recover and investigate the incident, security leaders have stressed what the incident could mean for patient privacy. But the NRC Health cyberattack sheds light on a greater concern to healthcare organizations: How can covered entities and other providers rein in their control over the vast number of vendors with which they interact, some of which are unknown?