Beware of Your Medical Partners, Suppliers: Breaches Up 102%Experts Advise New Standards for Contracts, Security Audits, Layered Security
Medical providers are facing growing data security and privacy threats from their trusted partners - a wide array of business associates from medical records software firms to debt collection agencies.
As of November, the Department of Health and Human Services' HIPAA Breach Reporting Tool website showed that of the 10 largest health data breaches so far this year, half involved business associates. That includes the largest single hacking incident of 2022, reported by Wisconsin-based printing and mailing vendor OneTouchPoint that affected the personal information of 3 million individuals.
Experts who spoke with Information Security Media Group say the healthcare industry needs to address this growing problem by doing a better job of vetting third-party providers and including cybersecurity standards in contracts and regular audits. They say providers also need to ensure a layered approach to security to defend against attacks that come through third-party breaches.
The business associates at the center of major health data breaches run the gamut from medical debt collectors such as Professional Finance Company, medical imaging services providers such as Shields Health Care Group, and law firms such as Warner Norcross and Judd, to electronic health record vendors such as Eye Care Leaders, making it clear that just about any type of vendor handling patients' protected health information poses a significant data security and privacy risk.
"The reason business associate data breaches have skyrocketed is a simple numbers game," says regulatory attorney Paul Hales of the Hales Law Group. "Criminals know that one successful business associate attack yields PHI from hundreds of covered entities. In a sense, BAs are just couriers. Covered entities are the real targets."
Attacks Doubled Since 2018
Attacks against business associates have more than doubled since 2018. Cybersecurity experts say it's a sign that cybercriminals are changing their tactics.
"If it's a business associate that caters to a large number of communities, then you're potentially breaching more than just the one community," says Nicholas Heesters, senior adviser for cybersecurity at HHS OCR. "You're potentially having multiple breaches of multiple companies."
Denise Anderson, president and CEO of the Health Information Sharing and Analysis Center, says entities should take steps to ensure their third parties have solid security practices in place to help shore up their defenses. "It's really critical that companies know who their suppliers are … and understand the vulnerabilities that the supplier could present to their organization," she says.
Michael Hamilton, CISO at security firm Critical Insight, offers a similar assessment. "Be aware that your third parties are a threat to you. Have some kind of third-party risk management program in place where you evaluate the security of those providers and maybe even make your procurement decisions based on some evaluation of the security. Use security as a competitive differentiator when you're buying," he says.
Dig Into the Details
Privacy and security expert Kate Borten, president of consulting firm The Marblehead Group, says healthcare organizations need to dig into the details of how their business associates are safeguarding patient data of different covered entity clients.
"How are you storing my data and how are you assuring that it's segregated from the data of your other clients?" she suggests asking. "I want my stuff to be totally in another world from the other clients," she says.
"I think a lot of that comes in when you're at the contracting stage where there's language built into the contract that ensures that the vendors or third-party suppliers are putting good best cybersecurity practices in place so that you're protected as an organization using their services."
Regulatory attorney Rachel Rose says that major cybersecurity incidents involving third parties in industries outside the healthcare sector also offer important lessons.
"SolarWinds provided a wake-up call," she says.
Three Areas of Focus for Defense
The three key areas that covered entities should focus on involving their vendors include knowing who they are doing business with and asking for reasonable assurances of compliance with the technical, administrative and physical safeguards; implementing layered security; and knowing the points of ingress and egress of PHI.
"The HIPAA Security Rule places the same obligations on business associates as covered entities," she says. "They should all be compliant with HIPAA and the HITECH Act and use the HHS Crosswalk to the National Institute of Standards and Technology's standards."
At the very least, advises Heesters with HHS, spend more time on training to help employees spot phishing emails from partners.
"Training isn't just some type of routine to do and then check a box," he says. "Empower them to be able to have that role within the organization to help to stop these issues at the forefront where phishing is knocking on the front door."
Over 5,000 health data breaches since 2009 have affected the personal information of 370 million people. Ransomware gangs and hackers are targeting healthcare providers, insurance firms and partners at an alarming rate. Targeting Healthcare explores these trends and how the industry can respond.