WEBVTT 1 00:00:00.000 --> 00:00:03.030 Marianne McGee: Hi, I'm Marianne Kolbasuk McGee with Information 2 00:00:03.030 --> 00:00:06.780 Security Media Group. Recently in Michigan, law firms reported 3 00:00:06.780 --> 00:00:10.920 a breach affecting 250,000 healthcare patients. It took a 4 00:00:10.920 --> 00:00:15.090 year for Warner Norcross and Judd to discover the hack. And 5 00:00:15.090 --> 00:00:17.790 as it turned out, some of the compromised patient data was up 6 00:00:17.790 --> 00:00:22.320 to 10 years old. Even worse, it held a treasure trove of 7 00:00:22.320 --> 00:00:27.570 information for cybercriminals: names, dates of birth, social 8 00:00:27.570 --> 00:00:31.320 security numbers, driver's license numbers, government 9 00:00:31.320 --> 00:00:35.880 issued IDs, annual compensation, credit card and debit card 10 00:00:35.880 --> 00:00:40.350 numbers and pins, bank account and routing numbers, passport 11 00:00:40.350 --> 00:00:43.650 numbers, patient health information and life insurance 12 00:00:43.650 --> 00:00:47.100 information. The law firm was holding the data as part of a 13 00:00:47.100 --> 00:00:50.730 special project for Priority Health, a Michigan health 14 00:00:50.730 --> 00:00:54.060 insurance company, which got the data from area healthcare 15 00:00:54.060 --> 00:00:58.530 providers. Privacy experts say that these data privacy red 16 00:00:58.530 --> 00:01:02.100 flags highlight an all too familiar pattern with 17 00:01:02.130 --> 00:01:04.200 third-party business associates. 18 00:01:04.270 --> 00:01:08.080 Kate Borten: Why would you need data from decades ago, if 19 00:01:08.080 --> 00:01:10.990 there's been no more activity with those records and so on? In 20 00:01:10.990 --> 00:01:15.490 the healthcare provider space, long before HIPAA, there's been 21 00:01:15.490 --> 00:01:20.890 a sense that patient privacy was something that mattered and was 22 00:01:20.890 --> 00:01:26.350 considered sort of an implicit value of provider organizations. 23 00:01:26.650 --> 00:01:30.160 If you're working for a tech firm or service provider, you're 24 00:01:30.160 --> 00:01:35.560 doing billing or collections, revenue issues, you're doing 25 00:01:35.560 --> 00:01:39.820 transcription. They're all very impersonal. And so I think 26 00:01:40.540 --> 00:01:43.120 there's something in the mentality of the companies 27 00:01:43.120 --> 00:01:45.610 that's just a little bit distant from patients. 28 00:01:45.630 --> 00:01:47.610 Marianne McGee: Attacks against business associates are 29 00:01:47.610 --> 00:01:54.030 escalating, more than doubling since 2018. And on track in 2022 30 00:01:54.150 --> 00:01:58.680 for more than 220 such incidents. Cybersecurity experts 31 00:01:58.680 --> 00:02:01.560 say, is a sign that cybercriminals are changing 32 00:02:01.560 --> 00:02:02.490 their tactics. 33 00:02:02.520 --> 00:02:05.790 Denise Anderson: For example, we just saw an attack a couple of 34 00:02:05.790 --> 00:02:08.880 weeks ago against an NHS that came through a third party. It 35 00:02:08.880 --> 00:02:11.820 was a technology firm called Advanced and they had an 36 00:02:11.820 --> 00:02:14.430 incident which then spread to the NHS and impacted their 37 00:02:14.430 --> 00:02:19.440 operations. So it's really critical that companies: No. 1, 38 00:02:19.470 --> 00:02:22.800 know who their suppliers are and No. 2, understand the 39 00:02:22.830 --> 00:02:25.110 vulnerabilities that the supplier can present to their 40 00:02:25.110 --> 00:02:29.340 organization and No. 3, take steps to make sure that these 41 00:02:29.400 --> 00:02:33.240 third parties have good cybersecurity practices in place 42 00:02:33.510 --> 00:02:37.950 that will help shore up their defenses so that they won't be 43 00:02:37.950 --> 00:02:38.670 impacted. 44 00:02:38.780 --> 00:02:40.820 Marianne McGee: Vendors and business associates are the 45 00:02:40.850 --> 00:02:44.210 fastest-growing segment of data breaches, now accounting for 46 00:02:44.210 --> 00:02:48.980 nearly one-fourth of all hacking incidents. And one single hack 47 00:02:49.010 --> 00:02:51.980 of a third party can lead to numerous breaches affecting 48 00:02:51.980 --> 00:02:55.730 healthcare providers. For example, a ransomware attack 49 00:02:55.730 --> 00:02:58.880 against Colorado-based professional finance company in 50 00:02:58.880 --> 00:03:03.620 February exposed personal health information at more than 650 51 00:03:03.620 --> 00:03:07.340 dental practices, physician groups and hospitals. Eye Care 52 00:03:07.340 --> 00:03:10.790 Leaders, which provides software for electronic health records 53 00:03:10.790 --> 00:03:15.170 and practice management was attacked in December 2021. And 54 00:03:15.170 --> 00:03:17.870 breaches have spread throughout the year to nearly two dozen 55 00:03:17.870 --> 00:03:21.830 hospitals and eye clinics, including Texas Tech University 56 00:03:21.830 --> 00:03:25.280 Health Sciences Center. Breaches related to Eye Care Leaders, 57 00:03:25.370 --> 00:03:29.690 cloud-based EHR databases, have resulted in the exposure of more 58 00:03:29.690 --> 00:03:33.350 than three million patient records. Privacy expert Kate 59 00:03:33.380 --> 00:03:37.190 Borten says lax security in the software industry is a common 60 00:03:37.190 --> 00:03:40.160 problem, especially around startups. 61 00:03:40.450 --> 00:03:43.180 Kate Borten: With a startup, there's usually a limited amount 62 00:03:43.180 --> 00:03:48.250 of money. And the major goals are developing a cool product 63 00:03:48.520 --> 00:03:52.900 and selling it, marketing it and finding people, organizations 64 00:03:52.900 --> 00:03:56.680 that are willing to give it a try and so on. And even though 65 00:03:56.680 --> 00:04:00.010 there may be a recognition that there's a compliance, this HIPAA 66 00:04:00.010 --> 00:04:05.230 compliance thing, inevitably, I think it's very rare to find a 67 00:04:05.230 --> 00:04:08.830 company that makes that a sufficiently high priority when 68 00:04:08.830 --> 00:04:12.550 they're just getting started. And the focus is then on 69 00:04:12.550 --> 00:04:17.170 development of the product, the app, the product or the service, 70 00:04:17.470 --> 00:04:22.990 and security and privacy tend to continue to be afterthoughts or 71 00:04:23.170 --> 00:04:28.120 add ons. And there's also - these tend to be very small 72 00:04:28.120 --> 00:04:33.340 companies. And everybody's working overtime just to get 73 00:04:33.340 --> 00:04:36.910 that new product out or that service. There's very little 74 00:04:36.910 --> 00:04:41.590 time for real education and a real focus on privacy and 75 00:04:41.590 --> 00:04:42.190 security. 76 00:04:42.570 --> 00:04:44.910 Marianne McGee: Federal regulators say third-party 77 00:04:44.940 --> 00:04:47.730 vendors need to follow fundamental risk management 78 00:04:47.730 --> 00:04:49.860 practices and cyber awareness training. 79 00:04:50.980 --> 00:04:53.763 Nicholas Heesters: If a hacker - an attack is on one community, 80 00:04:53.826 --> 00:04:57.558 that's that one community, but if it's a business associate 81 00:04:57.621 --> 00:05:01.227 that caters to a large number of communities, then you're 82 00:05:01.290 --> 00:05:05.339 potentially breaching more than just the one community. And once 83 00:05:05.402 --> 00:05:09.261 you get into that system, then you're potentially having, you 84 00:05:09.324 --> 00:05:12.740 know, multiple breaches on multiple communities. But I 85 00:05:12.803 --> 00:05:16.408 think in the large scheme of things, as far as protecting 86 00:05:16.472 --> 00:05:20.267 ePHI, as far as security or compliance, I think a lot of the 87 00:05:20.330 --> 00:05:24.252 issues are largely similar, as far as, you know, understanding 88 00:05:24.316 --> 00:05:27.921 where your ePHI is, having appropriate controls in place. 89 00:05:27.984 --> 00:05:31.780 One of the areas that we see - there are a lot of successful 90 00:05:31.843 --> 00:05:35.512 phishing attacks, so having appropriate training in place, 91 00:05:35.575 --> 00:05:38.991 so that individuals at the understand and can look for 92 00:05:39.054 --> 00:05:42.786 phishing attacks to empower individuals to understand that, 93 00:05:42.850 --> 00:05:46.645 you know, training isn't just some type of rude thing to do, 94 00:05:46.708 --> 00:05:50.440 and then check the box that they are really integral to the 95 00:05:50.504 --> 00:05:54.425 security of the organization and to empower them to be able to 96 00:05:54.489 --> 00:05:58.158 have that role within the organization, to help stop these 97 00:05:58.221 --> 00:06:02.079 issues at the forefront, you know, where phishing is knocking 98 00:06:02.143 --> 00:06:06.001 on the front door, and have, you know, the training be really 99 00:06:06.065 --> 00:06:09.986 commensurate with the risk. I mean, as phishing attacks become 100 00:06:10.050 --> 00:06:13.592 more sophisticated and they trick, you know, more people 101 00:06:13.655 --> 00:06:17.704 into following for them, to have your training, tailor it to let 102 00:06:17.767 --> 00:06:21.183 people know what these new schemes are, what they look 103 00:06:21.246 --> 00:06:25.041 like, things like smishing and the whaling and all these are 104 00:06:25.105 --> 00:06:28.837 different schemes to try to trick people to download and to 105 00:06:28.900 --> 00:06:32.885 click on a link. And that's not only training, but there can be 106 00:06:32.948 --> 00:06:36.617 technical safeguards, as well. And it can sandbox, running 107 00:06:36.681 --> 00:06:40.223 things that can deny access to known malicious sites. So 108 00:06:40.286 --> 00:06:44.145 training is a part of it. And technical safeguards are also a 109 00:06:44.208 --> 00:06:48.320 part of it. And all these things need to work together. So that's 110 00:06:48.383 --> 00:06:51.862 to try to really negate the "weak link" to successfully 111 00:06:51.925 --> 00:06:53.950 determine these kind of attacks. 112 00:06:54.140 --> 00:06:56.750 Marianne McGee: Experts advise healthcare providers to spend 113 00:06:56.750 --> 00:06:59.750 more time vetting third parties and building security 114 00:06:59.750 --> 00:07:01.640 requirements into contracts. 115 00:07:01.900 --> 00:07:05.350 Mike Hamilton: Be aware that your third parties, your service 116 00:07:05.350 --> 00:07:07.660 providers, your business partners, your business 117 00:07:07.660 --> 00:07:11.740 associates are a threat to you. And having some kind of 118 00:07:11.770 --> 00:07:15.220 third-party risk management program in place where you 119 00:07:15.220 --> 00:07:18.010 evaluate the security of those providers and maybe even make 120 00:07:18.010 --> 00:07:22.540 your procurement decisions based on some evaluation of security 121 00:07:22.540 --> 00:07:25.390 as a competitive differentiator when you're buying things. I 122 00:07:25.390 --> 00:07:27.760 think those are both really good pieces of advice. 123 00:07:28.050 --> 00:07:30.690 Kate Borten: One of the things that I tried to push when I was 124 00:07:30.690 --> 00:07:35.550 in a position to do this is to say to the business associates 125 00:07:35.550 --> 00:07:39.150 from the covered entity point of view, "how are you storing my 126 00:07:39.150 --> 00:07:43.500 data? And how are you assuring that it's segregated from the 127 00:07:43.500 --> 00:07:47.130 data of your other clients?" And sometimes there would be a very 128 00:07:47.130 --> 00:07:51.510 clear answer that was satisfactory, maybe not my 129 00:07:51.510 --> 00:07:55.140 ideal, like, I want my stuff to be totally - I want it in 130 00:07:55.140 --> 00:07:58.830 another world from the other clients. But at least it was 131 00:07:58.830 --> 00:08:05.910 reassuring and the answer would come back in a reliable way that 132 00:08:05.910 --> 00:08:10.860 you could trust. With other business associates, there was 133 00:08:10.860 --> 00:08:13.320 not a clear answer, it might come back vague, or they might 134 00:08:13.320 --> 00:08:16.650 look a bit like the deer in the headlights, that should cause a 135 00:08:16.650 --> 00:08:21.690 covered entity to think twice and to maybe reconsider. Or if 136 00:08:21.690 --> 00:08:25.350 this vendor has something that no other vendor has, it's really 137 00:08:25.350 --> 00:08:29.310 critical. Maybe even consider working with a vendor to improve 138 00:08:29.310 --> 00:08:34.260 their security and privacy to do better at segregating, and that 139 00:08:34.680 --> 00:08:38.160 not only prevents data spillover, so that some other 140 00:08:38.160 --> 00:08:41.310 covered entity might be getting access to my data, or there 141 00:08:41.310 --> 00:08:44.820 might be some kind of crossover there. But also limiting the 142 00:08:44.820 --> 00:08:48.630 risk when there's a breach, it's definitely something that needs 143 00:08:48.630 --> 00:08:51.690 to be considered when it's a covered entity or a business 144 00:08:51.690 --> 00:08:55.830 associate subcontracting to another. It's the same story. 145 00:08:56.100 --> 00:09:00.840 You really need to look at that downstream provider, service 146 00:09:00.840 --> 00:09:07.080 provider or product provider and understand how they're storing 147 00:09:07.080 --> 00:09:11.520 my data. And, in fact, there's another good opportunity to say, 148 00:09:11.520 --> 00:09:15.180 "and by the way, do you have data disposal? Or archiving? 149 00:09:15.180 --> 00:09:18.570 What's your process for making sure that when you have a copy 150 00:09:18.570 --> 00:09:21.960 of my data, and it's not the original copy, which is a 151 00:09:21.960 --> 00:09:26.610 different story, but if you just have a copy, and there's no 152 00:09:26.610 --> 00:09:29.970 reason for you to keep it, are you getting rid of it?" So that 153 00:09:30.030 --> 00:09:33.960 reduces your vulnerability, your risk and it reduces my risk as 154 00:09:33.960 --> 00:09:38.100 well. So I think there's a lot that can go into that. The 155 00:09:38.100 --> 00:09:42.210 process of choosing your downstream business partners. 156 00:09:42.240 --> 00:09:44.550 Marianne McGee: Clearly, business associates are a major 157 00:09:44.550 --> 00:09:47.640 target in the healthcare industry, exposing a growing 158 00:09:47.640 --> 00:09:50.820 list of healthcare providers to breaches, including those 159 00:09:50.820 --> 00:09:54.450 involving ransomware and data theft. The industry, as a whole, 160 00:09:54.480 --> 00:09:57.990 needs to change before this trend will ever diminish. For 161 00:09:57.990 --> 00:10:02.070 ISMG, I'm Marianne Kolbasuk McGee. Thank you for watching.