A hospital often brings in suppliers: maybe a pharmacy service that handles electronic medical records, or a CT-scanning technology to inspect a broken bone. But ransomware actors target third-party imaging vendors and electronic medical records systems—meaning any third-party risk can become a first-party risk, which is no party at all.

Healthcare CISOs and industry leaders have formed the Health3PT initiative, which aims to collect best practices to address security responsibilities along the supply chain. An agreed-upon framework, its members hope, will support buyers, suppliers, and security professionals as the line blurs between a hospital environment and their partners’ environments.

“You can’t help but care about what those risks are that your partners could potentially introduce. Their hygiene is now your hygiene,” said Omar Sangurima, principal technical program manager at the Memorial Sloan Kettering Cancer Center.

Sangurima is one of many industry leaders who will be on numerous Zoom calls this year to determine the Health3PT guidelines for third-party suppliers. The best practices will largely be pulled from the HITRUST Common Security Framework (CSF), a set of risk controls that include practices like management responsibilities, segregation in networks, and user-access rights.

Health3PT plans to publish its “research on third-party risk metrics” in the first quarter of 2023.

WannaCollaborate? When WannaCry ransomware hit hospitals in 2017, the attack froze a range of Windows-based technologies, from workstations all the way down to unpatched, connected MRI devices.

Read more here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected]

Ransomware gangs may have been down in terms of attack volume and income in 2022, but they’re not out—as evidenced by a recent report showing threat actors kept up their efforts over the holiday season.

In their December 2022 threat report, researchers with security firm NCC Group tracked a total of 269 ransomware attacks that month, up 2% from November. Yet the security firm said that this was unusual, as its own data (contrary to expectations) historically showed decreases “as cybercriminals, like any organization, take time to enjoy the festive season.” Last year, it saw a 37% drop in ransomware attacks from November to December.

According to NCC Group, the LockBit 3.0 ransomware-as-a-service gang—whose business model has been both massively successful and increasingly drawing heat from authorities—regained its usual lead among threat actors, responsible for 19% of attacks.

BianLian, a group that utilizes unusual Golang-based malware, more than doubled their activity from November to rank second with 12% of all attacks. Coming in third was the notorious BlackCat group at 11%, which NCC Group said also doubled its attacks from the month prior in its most active month on record.

NCC Group also observed a continued rise in distributed denial-of-service (DDoS) attacks, as well as a number of attacks in which threat actors attempted to extort targets by releasing their names, letter by letter. Matt Hull, NCC group’s global head of threat intelligence, told IT Brew this likely reflects the broader trend of ransomware gangs increasingly relying on tactics beyond encryption to coerce victims.

Keep reading here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] Want to go encrypted? Ask Tom for his Signal.

Today’s top IT reads.

Stat: 100 million. That’s the number of users ChatGPT has two months after its launch, setting the record for fastest-growing consumer application in history. (Reuters)

Quote: “In a startling turn of events, CIOs and hiring managers of IT professionals have seen the elimination of over 100,000 jobs from the open requisition for those positions.”—Janco Associates CEO Victor Janulaitis on open IT jobs disappearing in an uncertain economic climate (Computer Weekly)

Read: CNET employees say Red Ventures, which bought the tech site in 2020, has pressured them to favor advertisers in coverage and pushed them to publish plagiarism-riddled AI-written content. (The Verge)