Another Electronic Health Records Vendor HackedRansomware Attack Hits Cloud-Based EHR Firm, Affecting Data of Eye Clinic
Yet another cyberattack against a cloud-based electronic health records vendor has been revealed. This one involved a ransomware attack that potentially exposed data on 16,000 patients of a California eye clinic.
In a statement issued Thursday, Redwood Eye Center in Vallejo, California, said it's notifying those affected by a security incident in September involving the EHR vendor IT Lighthouse, which hosts and stores Redwood's patient records.
The incident is the latest reminder for healthcare entities to thoroughly vet their business associates and assess their risks, security experts say.
Locked Patient Records
In its statement, the eye center notes: "On Sept. 20, we learned that at some time during the night of Sept.19, IT Lighthouse ... experienced a ransomware attack that affected our patient records. This ransomware attack locked the server that stored some of our patient information."
IT Lighthouse hired a computer forensics company for assistance after the ransomware attack, "and we worked with our medical records software vendor to restore access to our patient information," the statement notes.
Although the clinic claims no patient data was at risk, it acknowledges that the attackers had blocked access to information that included patient names, addresses, dates of birth, health insurance information and medical treatment information.
"We are taking steps to change our medical record hosting vendor and enhance the security of our patient information," Redwood says.
Neither the eye center nor IT Lighthouse immediately responded to Information Security Media Group's request for comment.
In a groundbreaking recent legal action involving another cloud-based EHR vendor, the attorneys general of 12 states filed a lawsuit against Medical Informatics Engineering for a 2015 hacker breach impacting of 3.9 million individuals (see: 12 States File Data Breach Lawsuit Against EHR Vendor.)
And back in January, cloud-based EHR vendor Allscripts was hit with a class action lawsuit soon after a ransomware attack disrupted patient care services of hundreds of its healthcare clients.
The breach involving Redwood Eye Center underscores the risks that cloud-based EHR vendors and other third parties can present to healthcare organizations, says attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
"The recent BA breaches place more urgency on CEs to probe more deeply into companies before engaging them as BAs."
—Kate Borten, The Marblehead Group
"The increased reliance on managed services providers emphasizes the importance of conducting proper due diligence and vendor management before doing business with an information services contractor," he says. "Good vendor management practices mean that a HIPAA covered entity will work with their vendor to employ a risk-based strategy to the potential for compromise of the PHI."
Managing security issues involving business associates, including EHR providers, is an ongoing challenge for many healthcare organizations.
"Although the HIPAA rules are non-specific about how far a covered entity must go in vetting a BA, we've always known that BAs are a weak link," says Kate Borten, president of The Marblehead Group, a privacy and security consultancy.
"The recent BA breaches place more urgency on CEs to probe more deeply into companies before engaging them as BAs," she notes. "Some BAs don't fully believe that they must comply with the HIPAA Security Rule and are not yet on board with all that compliance entails."
CISOs at some of the nation's largest healthcare entities continue to find vendors - especially cloud services providers - a top risk when it comes to the security of patient data.
"In the past, all I had to worry about was securing the data within my institution, my data center," says John Houston, vice president of information security and privacy and associate counsel at Pittsburgh, Pa.-based integrated healthcare delivery system UPMC. "But with the cloud, I can't directly secure that information. You have to rely on those cloud vendors. And I need to make sure they're prepared do that."
UPMC is one of a half-dozen healthcare organizations that are attempting to standardize their vendor risk management programs by requiring that their business associates - including cloud services providers - become certified in using the Common Security Framework from HITRUST.
"Good vendor management practices call for a covered entity to work with their contractors to employ a risk-based strategy to assess the potential for compromise of data," Holtzman says.
"It's crucial to ensure that your BAs have performed a risk analysis of any information networks and devices that will handle e-PHI as well as ensure that there is an incident response plan in place to detect and mitigate the effects from a cybersecurity incident."
Business associates have been the culprits in many of the largest health data breaches reported so far this year to federal regulators.
As of Dec. 7, 81 major breaches involving business associates, impacting nearly 5.8 million individuals, have been added so far this year to the Department of Health and Human Services' HIPAA Breach Reporting Tool website lists.
That's nearly half of the 12.6 million victims impacted by all 338 major breaches posted so far this year on the HHS website. Commonly called the "wall of shame," the website lists health data breaches impacting 500 or more individuals.