Cyber alert for the Australian health sector including managed service providers
May 23, 2022
The Australian Cyber Security Centre and its cyber security partners in the UK, USA, Canada and NZ, expect malicious cyber actors - including state-sponsored advanced persistent threat (APT) groups - to increase targeting of managed service providers (MSPs) to exploit provider-customer network trust relationships.
The cybersecurity authorities of Australia, NZ, the UK, Canada and the USA last week issued a joint advisory containing specific recommendations for MSPs and their customers to help them reduce their exposure to cyberattacks and improve their overall data security.
The Australian Cyber Security Centre and its cyber security partners in the UK, USA, Canada and NZ, expect malicious cyber actors - including state-sponsored advanced persistent threat (APT) groups - to increase targeting of managed service providers (MSPs) to exploit provider-customer network trust relationships.   
MSPs are entities that deliver, operate, or manage ICT services and functions for their customers via a contractual arrangement, such as a service level agreement. These entities usually provide ICT services on the customer’s technology and infrastructure, such as endpoint patching and management; network connectivity and backup/disaster recovery support.
How could this affect me?
The services provided by MSPs require trusted network connectivity and privileged access to customer ICT systems. If an attack on an MSP is successful, it is likely to lead to further attacks (such as cyber espionage or ransomware attacks) on the MSP’s customers.
What do I need to do?
If your organisation uses MSPs to manage, operate, secure and/or access your ICT systems, you should review the ACSC advisory and recommended mitigation advice.   The following actions should be undertaken as a matter of urgency:
- Identify and disable vendor accounts that are no longer in use
- Enforce multi-factor authentication on MSP accounts that access your ICT environment
- Ensure that your MSP contracts clarify the MSPs’ ICT security roles and responsibilities, including how they will securely manage access to your network; and for notifying you if there is a cyber security incident that affects the MSP’s environment and/or your ICT systems.
Attacks on MSPs and other suppliers present risks across multiple entities (i.e. the customer organisation, the suppliers’ organisations, and the organisations that supply the supplier organisations) as depicted below. This shared risk entails shared mitigations.
Accordingly, the recommended mitigation strategies  are to implement
- Security controls that are directly within your organisation’s powers (e.g. appropriate network segmentation, maintaining overall network security, mitigating the impacts of stolen credentials, and monitoring MSP activities on customer networks), as well as
- Security controls that require shared effort (e.g. establishing transparent cyber security conversations with key parties, as well as setting clear protocols and expectations for both parties).
The Australian Signals Directorate’s Essential Eight recommendations should be consulted by all parties for guidance on improving the cyber security of Australian organisations’ ICT systems. 
Resources and more information
- Australian Cyber Security Centre. Protecting Against Cyber Threats to Managed Service Providers and their Customers. Available from: https://www.cyber.gov.au/acsc/....
- Cybersecurity & Infrastructure Security Agency. CISA, NSA, FBI and international cyber authorities issue cybersecurity advisory to protect Managed Service Providers (MSP) and customers.
- Data Breach Today. Five Eyes Alliance Warns MSPs About Targeted Cyberattacks. Available from: https://www.databreachtoday.co....
- Australian Cyber Security Centre. Managed Service Providers: How to Manage Risk to Customer Networks.
- Australian Cyber Security Centre. Essential Eight Maturity Model.
- Cloud Security Alliance. Healthcare Supply Chain Cybersecurity Risk Management. Available from: https://cloudsecurityalliance....;
- NZ Government. Supply chain cyber security. Available from: https://www.ncsc.govt.nz/asset....
Visit the Agency’s Digital Health Cyber Security pages for a range of cyber security guidance materials at:
Contact us at: firstname.lastname@example.org