Beware of Your Medical Partners, Suppliers: Breaches Up 102%Experts Advise New Standards for Contracts, Security Audits, Layered Security
Medical providers are facing growing data security and privacy threats from their trusted partners - a wide array of business associates from medical records software firms to debt collection agencies.
As of November, the Department of Health and Human Services' HIPAA Breach Reporting Tool website showed that of the 10 largest health data breaches so far this year, half involved business associates. That includes the largest single hacking incident of 2022, reported by Wisconsin-based printing and mailing vendor OneTouchPoint that affected the personal information of 3 million individuals.
Experts who spoke with Information Security Media Group say the healthcare industry needs to address this growing problem by doing a better job of vetting third-party providers and including cybersecurity standards in contracts and regular audits. They say providers also need to ensure a layered approach to security to defend against attacks that come through third-party breaches.
The business associates at the center of major health data breaches run the gamut from medical debt collectors such as Professional Finance Company, medical imaging services providers such as Shields Health Care Group, and law firms such as Warner Norcross and Judd, to electronic health record vendors such as Eye Care Leaders, making it clear that just about any type of vendor handling patients' protected health information poses a significant data security and privacy risk.
"The reason business associate data breaches have skyrocketed is a simple numbers game," says regulatory attorney Paul Hales of the Hales Law Group. "Criminals know that one successful business associate attack yields PHI from hundreds of covered entities. In a sense, BAs are just couriers. Covered entities are the real targets."
Attacks Doubled Since 2018
Attacks against business associates have more than doubled since 2018. Cybersecurity experts say it's a sign that cybercriminals are changing their tactics.
"If it's a business associate that caters to a large number of communities, then you're potentially breaching more than just the one community," says Nicholas Heesters, senior adviser for cybersecurity at HHS OCR. "You're potentially having multiple breaches of multiple companies."
Denise Anderson, president and CEO of the Health Information Sharing and Analysis Center, says entities should take steps to ensure their third parties have solid security practices in place to help shore up their defenses. "It's really critical that companies know who their suppliers are … and understand the vulnerabilities that the supplier could present to their organization," she says.
Michael Hamilton, CISO at security firm Critical Insight, offers a similar assessment. "Be aware that your third parties are a threat to you. Have some kind of third-party risk management program in place where you evaluate the security of those providers and maybe even make your procurement decisions based on some evaluation of the security. Use security as a competitive differentiator when you're buying," he says.
Dig Into the Details
Privacy and security expert Kate Borten, president of consulting firm The Marblehead Group, says healthcare organizations need to dig into the details of how their business associates are safeguarding patient data of different covered entity clients.
"How are you storing my data and how are you assuring that it's segregated from the data of your other clients?" she suggests asking. "I want my stuff to be totally in another world from the other clients," she says.
"I think a lot of that comes in when you're at the contracting stage where there's language built into the contract that ensures that the vendors or third-party suppliers are putting good best cybersecurity practices in place so that you're protected as an organization using their services."
Regulatory attorney Rachel Rose says that major cybersecurity incidents involving third parties in industries outside the healthcare sector also offer important lessons.
"SolarWinds provided a wake-up call," she says.
Three Areas of Focus for Defense
The three key areas that covered entities should focus on involving their vendors include knowing who they are doing business with and asking for reasonable assurances of compliance with the technical, administrative and physical safeguards; implementing layered security; and knowing the points of ingress and egress of PHI.
"The HIPAA Security Rule places the same obligations on business associates as covered entities," she says. "They should all be compliant with HIPAA and the HITECH Act and use the HHS Crosswalk to the National Institute of Standards and Technology's standards."
At the very least, advises Heesters with HHS, spend more time on training to help employees spot phishing emails from partners.
"Training isn't just some type of routine to do and then check a box," he says. "Empower them to be able to have that role within the organization to help to stop these issues at the forefront where phishing is knocking on the front door."
Over 5,000 health data breaches since 2009 have affected the personal information of 370 million people. Ransomware gangs and hackers are targeting healthcare providers, insurance firms and partners at an alarming rate. Targeting Healthcare explores these trends and how the industry can respond.
Marianne McGee: Hi, I'm Marianne Kolbasuk McGee with Information Security Media Group. Recently in Michigan, law firms reported a breach affecting 250,000 healthcare patients. It took a year for Warner Norcross and Judd to discover the hack. And as it turned out, some of the compromised patient data was up to 10 years old. Even worse, it held a treasure trove of information for cybercriminals: names, dates of birth, social security numbers, driver's license numbers, government issued IDs, annual compensation, credit card and debit card numbers and pins, bank account and routing numbers, passport numbers, patient health information and life insurance information. The law firm was holding the data as part of a special project for Priority Health, a Michigan health insurance company, which got the data from area healthcare providers. Privacy experts say that these data privacy red flags highlight an all too familiar pattern with third-party business associates.
Kate Borten: Why would you need data from decades ago, if there's been no more activity with those records and so on? In the healthcare provider space, long before HIPAA, there's been a sense that patient privacy was something that mattered and was considered sort of an implicit value of provider organizations. If you're working for a tech firm or service provider, you're doing billing or collections, revenue issues, you're doing transcription. They're all very impersonal. And so I think there's something in the mentality of the companies that's just a little bit distant from patients.
McGee: Attacks against business associates are escalating, more than doubling since 2018. And on track in 2022 for more than 220 such incidents. Cybersecurity experts say, is a sign that cybercriminals are changing their tactics.
Denise Anderson: For example, we just saw an attack a couple of weeks ago against an NHS that came through a third party. It was a technology firm called Advanced and they had an incident which then spread to the NHS and impacted their operations. So it's really critical that companies: No. 1, know who their suppliers are and No. 2, understand the vulnerabilities that the supplier can present to their organization and No. 3, take steps to make sure that these third parties have good cybersecurity practices in place that will help shore up their defenses so that they won't be impacted.
McGee: Vendors and business associates are the fastest-growing segment of data breaches, now accounting for nearly one-fourth of all hacking incidents. And one single hack of a third party can lead to numerous breaches affecting healthcare providers. For example, a ransomware attack against Colorado-based professional finance company in February exposed personal health information at more than 650 dental practices, physician groups and hospitals. Eye Care Leaders, which provides software for electronic health records and practice management was attacked in December 2021. And breaches have spread throughout the year to nearly two dozen hospitals and eye clinics, including Texas Tech University Health Sciences Center. Breaches related to Eye Care Leaders, cloud-based EHR databases, have resulted in the exposure of more than three million patient records. Privacy expert Kate Borten says lax security in the software industry is a common problem, especially around startups.
Borten: With a startup, there's usually a limited amount of money. And the major goals are developing a cool product and selling it, marketing it and finding people, organizations that are willing to give it a try and so on. And even though there may be a recognition that there's a compliance, this HIPAA compliance thing, inevitably, I think it's very rare to find a company that makes that a sufficiently high priority when they're just getting started. And the focus is then on development of the product, the app, the product or the service, and security and privacy tend to continue to be afterthoughts or add-ons. And these tend to be very small companies. And everybody's working overtime just to get that new product out or that service. There's very little time for real education and a real focus on privacy and security.
McGee: Federal regulators say third-party vendors need to follow fundamental risk management practices and cyber awareness training.
Nicholas Heesters: If an attack is on one community, that's that one community, but if it's a business associate that caters to a large number of communities, then you're potentially breaching more than just the one community. And once you get into that system, then you're potentially having, you know, multiple breaches on multiple communities. But I think in the large scheme of things, as far as protecting ePHI, as far as security or compliance, I think a lot of the issues are largely similar, as far as, you know, understanding where your ePHI is, having appropriate controls in place. One of the areas that we see - there are a lot of successful phishing attacks, so having appropriate training in place, so that individuals at the understand and can look for phishing attacks to empower individuals to understand that, you know, training isn't just some type of rude thing to do, and then check the box that they are really integral to the security of the organization and to empower them to be able to have that role within the organization, to help stop these issues at the forefront, you know, where phishing is knocking on the front door, and have, you know, the training be really commensurate with the risk. I mean, as phishing attacks become more sophisticated and they trick, you know, more people into following for them, to have your training, tailor it to let people know what these new schemes are, what they look like, things like smishing and the whaling and all these are different schemes to try to trick people to download and to click on a link. And that's not only training, but there can be technical safeguards, as well. And it can sandbox, running things that can deny access to known malicious sites. So training is a part of it. And technical safeguards are also a part of it. And all these things need to work together. So that's to try to really negate the "weak link" to successfully determine these kind of attacks.
McGee: Experts advise healthcare providers to spend more time vetting third parties and building security requirements into contracts.
Mike Hamilton: Be aware that your third parties, your service providers, your business partners, your business associates are a threat to you. And having some kind of third-party risk management program in place where you evaluate the security of those providers and maybe even make your procurement decisions based on some evaluation of security as a competitive differentiator when you're buying things. I think those are both really good pieces of advice.
Borten: One of the things that I tried to push when I was in a position to do this is to say to the business associates from the covered entity point of view, "how are you storing my data? And how are you assuring that it's segregated from the data of your other clients?" And sometimes there would be a very clear answer that was satisfactory, maybe not my ideal, like, I want my stuff to be totally - I want it in another world from the other clients. But at least it was reassuring and the answer would come back in a reliable way that you could trust. With other business associates, there was not a clear answer, it might come back vague, or they might look a bit like the deer in the headlights that should cause a covered entity to think twice and to maybe reconsider. Or if this vendor has something that no other vendor has, it's really critical. Maybe even consider working with a vendor to improve their security and privacy to do better at segregating, and that not only prevents data spillover, so that some other covered entity might be getting access to my data, or there might be some kind of crossover there. But also limiting the risk when there's a breach, it's definitely something that needs to be considered when it's a covered entity or a business associate subcontracting to another. It's the same story. You really need to look at that downstream provider, service provider or product provider and understand how they're storing my data. And, in fact, there's another good opportunity to say, "and by the way, do you have data disposal? Or archiving? What's your process for making sure that when you have a copy of my data, and it's not the original copy, which is a different story, but if you just have a copy, and there's no reason for you to keep it, are you getting rid of it?" So that reduces your vulnerability, your risk and it reduces my risk as well. So I think there's a lot that can go into that. The process of choosing your downstream business partners.
McGee: Clearly, business associates are a major target in the healthcare industry, exposing a growing list of healthcare providers to breaches, including those involving ransomware and data theft. The industry, as a whole, needs to change before this trend will ever diminish. For ISMG, I'm Marianne Kolbasuk McGee. Thank you for watching.