By Jeff Hill, Director of Product Management, Prevalent
The advent of EHRs and connected medical devices has improved outcomes and made life easier for millions of patients, as well as provides data that can improve all facets of healthcare. Yet, this rich data pool has also created a tantalizing and highly profitable target for cyber criminals.
A stolen electronic medical record is worth at least 10 times as much as a credit card number according to industry watchers in Technology News. The qualifier “at least” is used here to reflect a disturbing trend: the value of stolen medical records is only increasing.
Medical records on the dark web are selling for over $1,000 today, up from about $50 two years ago. It’s no wonder healthcare organizations are target-rich environments for the ever-expanding community of cyber criminals, whether lone operators, part of an organized crime ring, or members of a state-sponsored hacking team.
Spurred both by regulatory scrutiny and escalating, troubling security events (from the Anthem breach to recent ransomware attacks), healthcare providers are tightening their defenses. Yet even as they’re taking steps to better protect PHI, PII, and critical resources, they’re leaving major cyber pathways wide open to bad actors: the digital data conduits of their third-party vendors.
In today’s complex business environment, it’s virtually impossible to conduct operations without relying on dozens, hundreds, or even thousands of vendors, all of whom present a potential conduit to sensitive data, and many of whom require custody of that sensitive data to do their jobs. Understanding and minimizing the risks the “data supply chain” poses to sensitive patient data and resources is critical to a comprehensive and effective cyber security program.
Recent security incidents such as the Australian Red Cross breach discussed below underscore this risk, and integral role third- parties/vendors play in organizational operations today. Most enterprises outsource basic services such as web development and cafeteria management to third-party vendors, not to mention critical functions such as payroll, billing, and claims processing that require sharing sensitive information as a matter of course. It is unsurprising various studies put the percentage of cyber-attacks originating or involving third-parties at 40 to 70 percent.
In the case of the Australian Red Cross breach, for example, the company that built and maintained the organization’s website inadvertently exposed a back-up server housing donor registration data, enabling the theft of over half a million records, each containing the following data:
- first name
- last name
- physical address
- email address
- phone number
- date of birth
- blood type
- if they’d previously donated
- country of birth
- when their record was created
- the type of donation (plasma, plasmapheresis, platelet, plateletpheresis, whole blood)
- when each donation occurred
- donor eligibility answers
A less prominent but perhaps more unsettling third-party healthcare breach that occurred in 2015 further highlights the vulnerabilities that can be created by critical third-party relationships. Data servers at Bizmatics, a company that provides medical health records software to healthcare providers, were breached early in the year but the intrusion wasn’t discovered until late in the year.
During that time, attackers were able to compromise the medical records of nearly 150,000 patients of Bizmatics software users. This incident underscores the importance of third-party security concerns in the age of cloud services and SaaS, where sensitive personal information is housed outside the first party’s enterprise. A single successful attack of an application provider in custody of data from many healthcare providers means bad actors can effectively breach multiple organizations with a single penetration, making such companies prime targets.
As the old saying goes, when it comes to tackling a problem, the first step is admitting you’ve got one. Managing the risk posed by third-parties requires focus and attention. Once a healthcare organization accepts the reality third-party vendors often present a hacker’s path of least resistance to their patient data and other sensitive data assets, the next step is to begin understanding what vendors are most critical. Those with access to the company network, or in custody of your sensitive data, are at the top of the list. Here are a few things to keep in mind:
- Remember it’s not only vendors who routinely interact with patient data that constitute risk. Keep in mind that website developer whose brief access exposed more than half a million Australian Red Cross donors.
- Once the vendors presenting third-party risk access have been identified, the next step is to gather and analyze information on their security controls and policies.
- Doing vendor/risk correlation the old-fashioned way — email, spreadsheets, SharePoint, Word, etc. — quickly becomes cumbersome and inefficient. Fortunately, very good tools are available to automate the process, making it more efficient and the resulting data more meaningful and easily used.
- Explore tapping into the resources of healthcare vendor networks that can help simplify the effort, for example, the NH-ISAC’s Shared Risk Assessments program.
- Continue to monitor vendors in between formal assessments so you’re quickly made aware of events that affect the vendor’s risk to your organization. Examples of such noteworthy events that should be reported quickly include major financial announcements, lawsuits, money laundering involvement, data breaches, Medicare/Medicaid violations, major changes in management, product recalls, etc. Tools and services also exist in the marketplace to help with this.
Willie Sutton, when asked why he robbed banks, replied, “Cuz’ that’s where the money is,” He could have been describing the healthcare industry in the age of cyber theft.
The combination of exceptionally valuable PHI and slowly evolving cyber security practices — particularly in the area of third-party diligence — is leaving too many organizations both vulnerable to and attractive to bad actors. Managing third- and fourth-party risks helps ensure your organization isn’t their next target.
About The Author
Jeff Hill is a cybersecurity expert and Director of Product Management for Prevalent, a vendor risk management and cyber threat intelligence analytics organization focused on technologies and automated services to help organizations reduce, manage, and monitor security threats and risks associated with third- and fourth-party vendors. Jeff holds a BS in Aerospace Engineering from the University of Maryland, an MS in Systems Engineering and Technical Management from Johns Hopkins University, and an MBA from Seton Hall.